Bugtraq mailing list archives
Re: Microsoft IE cookies readable via about: URLS
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Sat, 10 Nov 2001 02:51:21 +1200
Jouko Pynnonen <jouko () solutions fi> wrote:
Microsoft Internet Explorer has a vulnerability which allows a malicious website to access any cookie in the browser's memory or those stored on disk. Cookies are used by web sites for storing preferences, statistics and tracking users, but also for storing more sensitive information such as session keys and even usernames and passwords. Cookies are used by many (probably most) online banks, webmail systems, and other sites requiring user authentication. Access to cookies may allow an attacker to retrieve passwords or other sensitive information, or hijack authenticated web sessions. What makes this possible are certain features of "about:" URL handling of IE. For some reason, an URL starting with "about:" can contain html code that will be interpreted by the browser. For instance entering the URL "about:<h1>hello</h1>" brings up a page with the heading "hello". The URL may contain JavaScript as well. Going to the following location with IE causes an alert box to be displayed: about:<script language=JavaScript>alert('ALERT');</script>
This was hinted at in Andrew Clover's message of 19 October that pointed out the about: protocol is, by default, in the Internet security zone *and* about: URLs can have cookies. This is a neat, though unsurprising, extension of that. Andrew's post is in the archives at: http://www.securityfocus.com/archive/1/221612
Finally, the about URL may have a hostname placed after the colon, and IE uses that hostname when determining the cookies to use: about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script> The above URL would result in IE displaying cookies of www.anydomain.fi in the alert box, assuming that the site has been visited and it has set a cookie which hasn't expired. A malicious website can have a piece of JavaScript redirecting the browser to an about: URL similar to the one above, and do anything with the cookie information of any selected domain. Instead of showing an alert box, the JavaScript code might just pass the cookie contents to a script or a CGI program which could quietly store the information to a file and then redirect the browser elsewhere or show some seemingly harmless web content. A web page for testing the vulnerability can be found at http://www.solutions.fi/iebug/ You can type in an address of a website that uses cookies, (without "http://") and it will tell you if your browser is vulnerable to the problem. For a relatively harmless test case try typing the address www.google.com in the box (assuming you've visited Google before). At least IE versions 6 and 5.50 appear to be vulnerable, but it looks like some older versions like 5.00 isn't, at least in the way described above. It interprets the html and JavaScript, but doesn't have any cookie data in document.cookie. A vulnerability with the same impact came public in May 2000, see http://www.peacefire.org/security/iecookies/. Microsoft was contacted November 1st. Their response was quick and they are producing a patch to be released soon (if not already released).
That's interesting, given they seemed to think there was no problem (despite the flaw being obvious to the rest of the world) back when Andrew mentioned it...
Until then, you can protect yourself from the vulnerability by disabling cookies (at Tools -> Internet options -> Security -> Customize) or by switching to another browser such as Opera or Netscape, which don't appear to have the same about: URL features.
A better workaround (assuming that you feel cookies are "relatively useful" and would rather not turn them off) is to put about: URLs into the Restricted Sites zone, as detailed in Andrew Clover's followup to his own post: http://www.securityfocus.com/archive/1/222552 In short, create a DWORD value named "about" under: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults and set it to 4. I just tested this against your test page and with the above value set, the test tells me "No cookies found for site...". Interestingly, this registry change seems to have almost immediate effect -- i.e. it did not require a restart or logout/login or even an IE exit/restart (I did this on Win2K) but occasionally, when running the test page over and over alternating back and forward between having the above value set and not present (the default), the page would work as if the registry value had not yet been changed. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 08)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)
- Re: Microsoft IE cookies readable via about: URLS Jeffrey W. Dronenburg (Nov 10)
- RE: Microsoft IE cookies readable via about: URLS Oliver Petruzel (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Thomas Reinke (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Valdis . Kletnieks (Nov 12)
- RE: Microsoft IE cookies readable via about: URLS Per Arne Johansson (Nov 12)
- <Possible follow-ups>
- Re: Microsoft IE cookies readable via about: URLS Clover Andrew (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 14)
- Re: Microsoft IE cookies readable via about: URLS Peter W (Nov 15)
- RE: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 15)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)