Microsoft IE window.open Function Execute Code (WsFakeSrc)

2003-09-10T00:00:00
ID OSVDB:3097
Type osvdb
Reporter OSVDB
Modified 2003-09-10T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer allows a remote attacker to obtain sensitive information from a remote system or execute arbitrary code. The issue is due to a flaw in the window.open function and the permissions it honors between windows. A remote attacker could create a malicious HTML document that would use this function to obtain sensitive information and execute arbitrary JavaScript in the security context of the web page being viewed..

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable Active Scripting, ActiveX, and Web site plug-ins.

Short Description

Microsoft Internet Explorer allows a remote attacker to obtain sensitive information from a remote system or execute arbitrary code. The issue is due to a flaw in the window.open function and the permissions it honors between windows. A remote attacker could create a malicious HTML document that would use this function to obtain sensitive information and execute arbitrary JavaScript in the security context of the web page being viewed..

References:

Secunia Advisory ID:9711 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-09/0155.html Keyword: WsFakeSrc ISS X-Force ID: 13163 CVE-2003-0816 Bugtraq ID: 8577