Microsoft Internet Explorer跨帧脚本限制绕过漏洞(1) 受影响系统: Microsoft Internet EXPlorer 6.0SP1 Microsoft Internet Explorer 5.5SP2 Microsoft Internet Explorer 5.5SP1 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 - Microsoft Windows XP Professional - Microsoft Windows XP Home - Microsoft Windows NT 4.0 SP6a - Microsoft Windows ME - Microsoft Windows 98 SE - Microsoft Windows 98 - Microsoft Windows 2003 Web Edition - Microsoft Windows 2003 Standard Edition - Microsoft Windows 2003 Enterprise Edition 64-bit - Microsoft Windows 2003 Enterprise Edition - Microsoft Windows 2003 Datacenter Edition 64-bit - Microsoft Windows 2003 Datacenter Edition - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 9761
Microsoft Internet Explorer是一款流行的WEB浏览器。
Microsoft Internet Explorer存在一个访问验证错误,远程攻击者可以利用这个漏洞可绕过跨帧脚本限制,盲目的'受信'的执行恶意脚本。
问题是由于IE事件处理函数中的不充分限制。根据Microsoft Knowledge Base Article 167796( http://support.microsoft.com/support/kb/articles/Q167/7/96.ASP ),在不同域中的帧访问必须限制。但是通过构建包含恶意javascript的帧定义,可绕过帧访问限制。
