Microsoft IE Frame Javascript URL Cross-Domain Script Execution

2002-09-22T00:00:00
ID OSVDB:2998
Type osvdb
Reporter OSVDB
Modified 2002-09-22T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer allows a remote attacker to execute arbitrary JavaScript on any HTML document that uses <frame> or <iframe> elements. The script excuted is done in the securty context of the currently loaded site. This would allow attackers to steal cookies, read local files or execute programs.

Technical Description

AKA "Who framed Internet Explorer"

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Internet Explorer allows a remote attacker to execute arbitrary JavaScript on any HTML document that uses <frame> or <iframe> elements. The script excuted is done in the securty context of the currently loaded site. This would allow attackers to steal cookies, read local files or execute programs.

References:

Microsoft Security Bulletin: MS02-066 ISS X-Force ID: 10066 Generic Informational URL: http://sec.greymagic.com/adv/gm010-ie/ CVE-2002-1187 Bugtraq ID: 5672