ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [NT] Phishing Using IE7 Local Resource Vulnerability



> - - - - - - - - -
> 
> 
> 
> Phishing Using IE7 Local Resource Vulnerability 
> 
> 
> 
> Internet Explorer 7.0 is vulnerable to cross-site scripting 
> in one of its local resources. In combination with a design 
> flaw in this specific local resource it is possible for an 
> attacker to easily conduct phishing attacks against IE7 users. 
> 
> 
> Vulnerable Systems: 
>  * Windows Vista - Internet Explorer 7.0 
>  * Windows XP - Internet Explorer 7.0 
> 
> The navcancl.htm local resource is used by the browser when 
> for some reason a navigation to a specific page is canceled. 
> When a navigation is canceled the URL of the specific page is 
> provided to the navcancl.htm local resource after the # sign. 
> For example: 
> res://ieframe.dll/navcancl.htm#http://www.site.com. The 
> navcancl.htm page then generates a script in the Refresh the 
> page. link in order to reload the provided site again when 
> the user clicks on this link. It is possible to inject a 
> script in the provided link which will be executed when the 
> user clicks on the Refresh the page. link. Luckily, Internet 
> Explorer now runs most of its local resources (including 
> navcancl.htm) in Internet Zone , so this vulnerability cannot 
> be exploited to conduct a remote code execution. 
> 
> Unfortunately, there is also a design flaw in IE7. The 
> browser automatically removes the URL path of the local 
> resource and leaves only the provided URL. For example: when 
> the user visits 
> res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will 
> show http://www.site.com in the address bar. 
> 
> To perform a phishing attack, an attacker can create a 
> specially crafted navcancl.htm local resource link with a 
> script that will display a fake content of a trusted site 
> (e.g. bank, paypal, MySpace). When the victim will open the 
> link that was sent by the attacker, a Navigation Canceled 
> page will be displayed. The victim will think that there was 
> an error in the site or some kind of a network error and will 
> try to refresh the page. Once he will click on the Refresh 
> the page. link, The attacker s provided content (e.g. fake 
> login page) will be displayed and the victim will think that 
> he s within the trusted site, because the address bar shows 
> the trusted site s URL. 
> 
> Proof-of-Concept: 
> A CNN.com article spoofing proof-of-concept can be found here 
> <http://aviv.raffon.net/ct.ashx?id=d8214cdd-efdd-4d27-8393-e31
> f1302b090&url=http%3a%2f%2fwww.raffon.net%2fresearch%2fms%2fie
> %2fnavcancl%2fcnn.html> . 
> 
> 
> Additional Information: 
> The information has been provided by Aviv Raff 
> <mailto:avivra@xxxxxxxxx> . 
> The original article can be found at: 
> http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourc
> eVulnerability.aspx 
> 
> 



 




Copyright © Lexa Software, 1996-2009.