Microsoft IE Travel Log Arbitrary Script Execution

2004-02-02T15:44:17
ID OSVDB:3791
Type osvdb
Reporter OSVDB
Modified 2004-02-02T15:44:17

Description

Vulnerability Description

Microsoft Internet Explorer contains a flaw that allows a remote cross zone scripting attack. This flaw exists because the application might execute code in the Local Machine zone if the page contains a subframe. This could allow a user to create a specially crafted URL that when viewed would execute arbitrary code in a user's browser within the security context of the currently logged on user, leading to a loss of confidentiality, integrity and availability.

Solution Description

Upgrade to latest service pack for Internet Explorer, as it will fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Activate the following settings in IE "Prompt before running ActiveX controls and active scripting in the Internet zone and in the Local Intranet zone"

Short Description

Microsoft Internet Explorer contains a flaw that allows a remote cross zone scripting attack. This flaw exists because the application might execute code in the Local Machine zone if the page contains a subframe. This could allow a user to create a specially crafted URL that when viewed would execute arbitrary code in a user's browser within the security context of the currently logged on user, leading to a loss of confidentiality, integrity and availability.

References:

Vendor Specific Advisory URL Secunia Advisory ID:10765 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-11/0297.html ISS X-Force ID: 13846 CVE-2003-1026 CERT VU: 784102 Bugtraq ID: 9109