|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Fri Jan 02 2004 - 12:26:08 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
Internet Explorer showHelp() Restriction Bypass Vulnerability
SECUNIA ADVISORY ID:
SA10523
VERIFY ADVISORY:
http://www.secunia.com/advisories/10523/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
DESCRIPTION:
Arman Nayyeri has discovered a variant of the older showHelp() zone
bypass vulnerability, which works in Internet Explorer with all
current patches.
Websites can call the showHelp() function and open locally installed
"CHM" files, which are compressed help files. These may contain
references to system commands and can execute code with the
privileges of the logged in user.
Normally, it isn't a problem that Internet Explorer allows websites
to open locally installed "CHM" files as they are considered trusted.
However, other files can be treated as "CHM" files by using a special
syntax with a double ":" appended to the file name combined with a
directory traversal using the "..//" character sequence.
This can be exploited if a program such as WinAmp, XMLHTTP, ADODB
stream or others allow websites to place files in a known location.
An example exploit has been published, which is capable of running
arbitrary code on the system if WinAmp is installed in the default
location.
The vulnerability has been confirmed in fully patched Internet
Explorer 6 with WinAmp 5 installed.
SOLUTION:
Disable active scripting support and enable it only for trusted
sites.
Filter HTML pages with references to "showHelp()" using a HTTP proxy
or firewall with content filtering capabilities.
Use another product.
PROVIDED AND/OR DISCOVERED BY:
Arman Nayyeri
OTHER REFERENCES:
The old Internet Explorer showHelp() function vulnerability
(SA8004):
http://www.secunia.com/advisories/8004/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://www.secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://www.secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]