IE: Universal Cross Domain Scripting Flaw

Discussion in 'other security issues & news' started by Paul Wilders, Jul 11, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    One of the many elements in HTML 4 is the OBJECT element that is used to embed external objects inside a page. Such objects can be the WebBrowser control and other ActiveX controls, images, applets and more.
    The object property of embedded WebBrowser controls is not subject to the Cross Domain security checks that embedded HTML documents ordinarily go through, and as such, it is possible to escape any sandboxing and security zone restrictions.

    Vulnerable systems:
    Any application that hosts the WebBrowser control. Some of these are:
    * Microsoft Internet Explorer
    * Microsoft Outlook
    * Microsoft Outlook Express
    * IE6 Win2000, all patches and servicepacks.
    * IE5.5 Win98, all patches and servicepacks.
    * IE5.5 WinNT 4, all patches and servicepacks.

    Elevating privileges, arbitrary command execution, local file reading, stealing arbitrary cookies, etc.

    Any document can extend the properties exposed by the OBJECT element, and any namespace conflicts are handled by querying the object property that is a duplicate reference to the embedded document.
    When embedding a document from the same site (same protocol, port, and host) it is possible to refer to the object property without circumventing any Cross Domain security checks. After having established a reference, we will then change the location of the document being embedded.
    The location changes but the reference stays, and we now have complete access to the DOM of the foreign document.
    The default object being referenced by the object property in the case of text/html is the document object. The simple proof-of-concept exploit below will read the cookie from
    The OBJECT element is not restricted to embedding HTML documents, but can embed objects of any type. As such, this vulnerability could be extended even further.


    deleted by Forum Admin

    Solution: (for users)
    Disable ActiveX, or set "Script ActiveX controls marked safe for scripting" to Prompt or Disable.


  2. Prince_Serendip

    Prince_Serendip Registered Member

    Apr 8, 2002
    Thank you for this posting. I disabled ActiveX a long time ago, including removing my Adobe Reader which uses ActiveX. Dangerous stuff is that ActiveX! (I found an alternate reader.)
Thread Status:
Not open for further replies.