CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
95.7%
A cross-domain scripting vulnerability exists in the way Microsoft Internet Explorer (IE) evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.
Microsoft Security Bulletin MS03-032 describes a vulnerability in the way IE checks for files in the local browser cache:
A flaw in Internet Explorer could allow a malicious Web site operator to access information in another Internet domain, or on the user’s local system by injecting specially crafted code when the browser checks for the existence of files in the browser cache. …There is a flaw in the way Internet Explorer checks the originating domain when checking for the existence of local files in the browser cache.
SNS Advisory No.67 further elaborates:
If specific MIME type is specified in the Content-Type header of an HTTP response and if a special string is defined in the Content-Disposition header, this string can be automatically downloaded and opened within the Temporary Internet Files (TIF) under several conditions in Microsoft Internet Explorer. …Additionally, if this vulnerability is exploited through a specific string in the Content-Disposition header, the OBJECT tag can be parsed in the “My Computer” zone.
Presumably, specially crafted Content-Type and Content-Disposition headers can cause IE to execute script in a different domain, including the Local Machine Zone. It seems that the contents of the Content-Disposition header is treated as HTML code, and any script in those contents is executed without regard to cross-domain security restrictions. For some reason, IE considers the script to be in the Local Machine Zone, when files in the Temporary Internet Files directory should not be trusted and are typically treated as if they were in the Internet zone.
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user’s system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user’s system. The attacker could also determine the path to the Temporary Internet Files folder (cache) and access data from other web sites.
Apply patch
Apply 822925 or a more recent cumulative patch for IE. See Microsoft Security Bulletin MS03-032.
205148
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 25, 2003 Updated: August 25, 2003
Affected
Please see Microsoft Security Bulletin MS03-032.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23205148 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.
This document was written by Art Manion.
CVE IDs: | CVE-2003-0531 |
---|---|
CERT Advisory: | CA-2003-22 Severity Metric: |
msdn.microsoft.com/workshop/security/szone/overview/overview.asp
support.microsoft.com/default.aspx?scid=kb;en-us;822925
www.lac.co.jp/security/english/snsadv_e/67_e.html
www.microsoft.com/security/security_bulletins/ms03-032.asp
www.microsoft.com/technet/security/bulletin/MS03-032.asp
www.secunia.com/advisories/9580/
www.securityfocus.com/bid/8457
xforce.iss.net/xforce/xfdb/12961