CERT-In:Indian Computer Emergency Response Team

HOME > VULNERABILITY NOTES

VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-95
Microsoft Internet Explorer 6 Cross-Domain Vulnerability

Original Issue Date: June 27, 2008

Severity Rating: Medium

System Affected

Microsoft Internet Explorer 6

Overview

A cross-domain Vulnerability has been reported in Microsoft Internet Explorer 6, which could be exploited by remote attackers to access contents of the web page on different domain.

Description

IE 6 uses cross-domain policy in its architecture to ensure that web pages of different domains do not interact and simultaneously allow interaction between pages of the same domain. This vulnerability is caused due to failure of properly implementing cross-domain policy by IE 6 when handling “location” or “location.href” property of a window object.

Successful exploitation of this vulnerability allows access to the contents of the web page in different domain and launching cross-domain scripting attack.

Workaround

Upgrade to Internet Explorer 7

References

US-CERT
http://www.kb.cert.org/vuls/id/923508

Secunia
http://secunia.com/advisories/30857/

ZDNet
http://blogs.zdnet.com/security/?p=1348

CVE Name
CVE-2008-2947

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Vulnerability Note CIVN-2008-95 Microsoft Internet Explorer 6 Cross-Domain Vulnerability

CERT-In Vulnerability Note CIVN-2008-95
Microsoft Internet Explorer 6 Cross-Domain Vulnerability