Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft Internet Explorer HTML Same Origin Policy Violation Vulnerability

Microsoft Internet Explorer HTML Same Origin Policy Violation Vulnerability

by Nikola Strahija on September 5th, 2002 A vulnerability exists in Microsoft Internet Explorer that can allow for a violation of the same origin policy. When MSIE is evaluating whether access across windows should be permitted, the domain of the parent window is compared to the child. A vulnerability in this process has been reported that is related to the handling of HTTP usernames included in the URL.


If the username value is suffixed with "%2f", MSIE will not remove the username when performing the same-origin check. Therefore it is possible to bypass the check if a username is included in a URL that matches the domain of the parent window and is appended with "%2f".

Remote: Yes
Exploit: The following proof of concept exploit was submitted by Liu Die Yu at:

http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
or
clik.to/liudieyu ==> 2FforMSIE-MyPage section.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »