Vulnerability Note VU#205148

Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers

Original Release date: 25 Aug 2003 | Last revised: 26 Aug 2003

Overview

A cross-domain scripting vulnerability exists in the way Microsoft Internet Explorer (IE) evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.

Description

Microsoft Security Bulletin MS03-032 describes a vulnerability in the way IE checks for files in the local browser cache:

    A flaw in Internet Explorer could allow a malicious Web site operator to access information in another Internet domain, or on the user's local system by injecting specially crafted code when the browser checks for the existence of files in the browser cache. ...There is a flaw in the way Internet Explorer checks the originating domain when checking for the existence of local files in the browser cache.

SNS Advisory No.67 further elaborates:
    If specific MIME type is specified in the Content-Type header of an HTTP response and if a special string is defined in the Content-Disposition header, this string can be automatically downloaded and opened within the Temporary Internet Files (TIF) under several conditions in Microsoft Internet Explorer. ...Additionally, if this vulnerability is exploited through a specific string in the Content-Disposition header, the OBJECT tag can be parsed in the "My Computer" zone.
Presumably, specially crafted Content-Type and Content-Disposition headers can cause IE to execute script in a different domain, including the Local Machine Zone. It seems that the contents of the Content-Disposition header is treated as HTML code, and any script in those contents is executed without regard to cross-domain security restrictions. For some reason, IE considers the script to be in the Local Machine Zone, when files in the Temporary Internet Files directory should not be trusted and are typically treated as if they were in the Internet zone.

Impact

An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user's system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user's system. The attacker could also determine the path to the Temporary Internet Files folder (cache) and access data from other web sites.

Solution

Apply patch
Apply 822925 or a more recent cumulative patch for IE. See Microsoft Security Bulletin MS03-032.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected25 Aug 200325 Aug 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0531
  • CERT Advisory: CA-2003-22
  • Date Public: 20 Aug 2003
  • Date First Published: 25 Aug 2003
  • Date Last Updated: 26 Aug 2003
  • Severity Metric: 20.27
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.