Re: Cross Domain Scripting Vulnerability, Javascript
From: Eric Lawrence [MSFT] (e_lawrence_at_hotmail.com)
Date: 11/29/04
- Next message: Eric Lawrence [MSFT]: "Re: view http headers"
- Previous message: tnom_at_mucks.net: "Re: Some web pages won't display after XP2"
- In reply to: Brad: "Re: Cross Domain Scripting Vulnerability, Javascript"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 29 Nov 2004 14:15:19 -0800
The local computer zone in XP SP2 doesn't have permissions to execute
script, so I'm not sure that there's a real exploit here. I suspect perhaps
the scanner needs to be updated?
-- Thanks, Eric Lawrence Program Manager Internet Explorer Trust This posting is provided "AS IS" with no warranties, and confers no rights. "Brad" <Brad@discussions.microsoft.com> wrote in message news:902C9FF2-BEAF-45CE-9929-CA569C7E9A71@microsoft.com... > > > "Frank Saunders, MS-MVP IE/OE" wrote: > > > "Brad" <Brad@discussions.microsoft.com> wrote in message > > news:A0CFB49B-6696-4CC0-862B-1A43B3015CB5@microsoft.com > > > After running SCANIT browser security > > > test(http://bcheck.scanit.be/bcheck/index.php) > > > the ressult shows 1 Medium Risk Vulnerability. > > > > > > The sites description is as follows: > > > --------------------------------------------------------- > > > Microsoft Internet Explorer file:javascript: Cross Domain Scripting > > > Vulnerability (ldy20030910-01) > > > > > > Description > > > This bug allows a web site to read the contents of any file on your > > > computer. The web site has to know the exact path and name of the > > > file. A malicious website may also be able to exploit this > > > vulnerability to delete mail from your webmail account or to spoof > > > trusted websites. > > > > > > Technical Details > > > It is possible to inject JavaScript code into Search bar and Media > > > bar in Internet Explorer using "file:javascript:.." URL. The code > > > will be execurted in the domain context of the document that was > > > loaded in the bar. > > > > > > A malicious web site can first open a document from any domain in > > > Search bar and then execute JavaScript code getting access to the > > > document. > > > > > > There is a technique that allows injecting JavaScript code into Local > > > Computer zone using this vulnerability. This allows a malicious web > > > site to get access to local files and even execute arbitrary code. > > > See "Additional Information" for details. > > > > > > Recommendations > > > We recommend using Windows Update to correct this problem. > > > ----------------------------------------------------------- > > > > > > 'Windows Update' tells me my all mine are current and no new ones > > > available for download. > > > > > > I am using WIN XP Pro-SP2, have Java plugin 1.4.2_06 for Windows, and > > > would appreciate any help with correcting this problem if possible. > > > > > > Brad > > > > JavaScript has nothing to do with Java. They aren't related. > > > > 1. You might want to refresh your scripting engine: > > http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001169 > > or > > http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp > > Windows Script 5.6 for Windows 2000 and XP > > http://www.microsoft.com/downloads/details.aspx?FamilyID=c717d943-7e4b-4622-86eb-95a22b832caa&DisplayLang=en > > > > Sometimes there's a corrupt file in the cache and one must go to Tools | > > Internet Options and click Delete Files. > > > > 2a. Start>Run>Regsvr32 vbscript.dll > > > > 2b. Start>Run>Regsvr32 jscript.dll > > > > (WinXP users who have problems with 2a and 2b, see > > http://www.mvps.org/inetexplorer/answers_9.htm) > > > > 3. Re-register all DLLs listed in http://support.microsoft.com/?kbid=281679 > > > > 4. See also > > Error Message When You Browse the Web: An Error Has Occurred in the Script > > on This Page > > http://support.microsoft.com/?kbid=306831 > > Scripting Errors When You View Web Pages in Internet Explorer after > > Installing Office 2003 > > http://support.microsoft.com/?kbid=822521 > > > > 5a. IE Tools>Internet Options>Advanced>Browsing>Enable third-party browser > > extensions (uncheck & reboot). > > > > 5b. Find the hijacker that caused 5a to be checked (or if none were checked, > > check for hijackware anyway): > > > > Dealing with Hijackware > > http://mvps.org/winhelp2002/unwanted.htm > > http://aumha.org/a/parasite.htm > > http://www.mvps.org/inetexplorer/Darnit.htm > > > > -- > > Frank Saunders, MS-MVP, IE/OE > > Please respond in Newsgroup only. Do not send email > > http://www.fjsmjs.com > > Protect your PC > > http://www.microsoft.com/security/protect/ > > > Hello Frank, > > thanks for the above, I have gone through all the suggestions, except for > re-installing IE6, but unfortunately I still get the same vulnerability > warning. > > Regards, Brad
- Next message: Eric Lawrence [MSFT]: "Re: view http headers"
- Previous message: tnom_at_mucks.net: "Re: Some web pages won't display after XP2"
- In reply to: Brad: "Re: Cross Domain Scripting Vulnerability, Javascript"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
