mailing list archives
Microsoft IE cookies readable via about: URLS
From: Jouko Pynnonen <jouko () solutions fi>
Date: Thu, 8 Nov 2001 15:32:54 +0200 (EET)
Microsoft Internet Explorer has a vulnerability which allows a malicious
website to access any cookie in the browser's memory or those stored on
disk. Cookies are used by web sites for storing preferences, statistics
and tracking users, but also for storing more sensitive information such
as session keys and even usernames and passwords. Cookies are used by
many (probably most) online banks, webmail systems, and other sites
requiring user authentication.
Access to cookies may allow an attacker to retrieve passwords or other
sensitive information, or hijack authenticated web sessions.
What makes this possible are certain features of "about:" URL handling of
IE. For some reason, an URL starting with "about:" can contain html code
that will be interpreted by the browser. For instance entering the URL
"about:<h1>hello</h1>" brings up a page with the heading "hello". The URL
causes an alert box to be displayed:
Finally, the about URL may have a hostname placed after the colon, and IE
uses that hostname when determining the cookies to use:
The above URL would result in IE displaying cookies of www.anydomain.fi
in the alert box, assuming that the site has been visited and it has set
a cookie which hasn't expired.
browser to an about: URL similar to the one above, and do anything with
the cookie information of any selected domain. Instead of showing an
script or a CGI program which could quietly store the information to a
file and then redirect the browser elsewhere or show some seemingly
harmless web content.
A web page for testing the vulnerability can be found at
"http://") and it will tell you if your browser is vulnerable to the
problem. For a relatively harmless test case try typing the address
www.google.com in the box (assuming you've visited Google before).
At least IE versions 6 and 5.50 appear to be vulnerable, but it looks
like some older versions like 5.00 isn't, at least in the way described
data in document.cookie.
A vulnerability with the same impact came public in May 2000, see
Microsoft was contacted November 1st. Their response was quick and they
are producing a patch to be released soon (if not already released).
Until then, you can protect yourself from the vulnerability by disabling
cookies (at Tools -> Internet options -> Security -> Customize) or by
switching to another browser such as Opera or Netscape, which don't
appear to have the same about: URL features.
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko () solutions fi http://www.secmod.com
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 09)