header-logo
Suggest Exploit
vendor:
Windows Internet Explorer
by:
Not mentioned
7.5
CVSS
HIGH
URI Handlers Restriction Bypass
200
CWE
Product Name: Windows Internet Explorer
Affected Version From: Microsoft Windows Internet Explorer 6.0 SP1
Affected Version To: Not mentioned
Patch Exists: NO
Related CWE: Not mentioned
CPE: Not mentioned
Metasploit:
Other Scripts:
Platforms Tested: Windows
Not mentioned

Microsoft Windows Internet Explorer 6.0 SP1 URI Handlers Restriction Bypass Vulnerability

Microsoft Windows Internet Explorer 6.0 SP1 introduced restrictions for certain URI handlers (such as file:// and res://). It has been demonstrated in the past that these URI handlers could be abused and incorporated into different types of attacks against users of the browser, such as cross-protocol scripting attacks or attacks which access local resources.As a safety measure, Service Pack 1 addressed this issue by restricting the client from accessing any of the dangerous URI handlers from the Internet Zone.However, it is possible to circumvent these restrictions by employing a HTTP redirect to a page which contains one of the restricted URIs.It is still possible to open any file:// or res:// file automatically with:<object type="text/html" data="redirect.asp"></object>where redirect.asp makes a HTTP redirect using this HTTP header:Location: file://c:/test.txt

Mitigation:

Not mentioned
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5730/info

Microsoft Windows Internet Explorer 6.0 SP1 introduced restrictions for certain URI handlers (such as file:// and res://). It has been demonstrated in the past that these URI handlers could be abused and incorporated into different types of attacks against users of the browser, such as cross-protocol scripting attacks or attacks which access local resources. 

As a safety measure, Service Pack 1 addressed this issue by restricting the client from accessing any of the dangerous URI handlers from the Internet Zone.

However, it is possible to circumvent these restrictions by employing a HTTP redirect to a page which contains one of the restricted URIs.

It is still possible to open any file:// or res:// file automatically with: 

<object type="text/html" data="redirect.asp"></object> 

where redirect.asp makes a HTTP redirect using this HTTP header: 

Location: file://c:/test.txt

Navigation

Suggest Exploit

Services By CQR