J-Security Center

Title: Microsoft Internet Explorer 'setRequestHeader()' Multiple Vulnerabilities

Severity: MODERATE

Description:

Microsoft Internet Explorer is prone to multiple vulnerabilities that allow for referer-spoofing, HTTP-request-splitting, and HTTP-request-smuggling attacks through a user's browser.

The following security issues have been reported:

- The 'setRequestHeader' function of the 'XmlHttpRequest' JavaScript object allows an attacker to set the 'Transfer-Encoding' header of the HTTP request to the 'chunked' value. This will allow the attacker to send additional requests as a payload of the initial requests, facilitating an HTTP-request-smuggling attack.

- The 'setRequestHeader' function of the 'XmlHttpRequest' allows an attacker to overwrite the 'Content-Length', 'Host', and 'Referer' headers of the HTTP request. The attacker can carry out HTTP-request-splitting and HTTP-request-smuggling attacks by setting the 'Content-Length' value to contain multiple values. The attacker may also perform referer-spoofing attacks by manipulating the 'Host' and 'Referer' headers. Other scenarios and attack vectors are also possible.

To exploit these issues, the attacker must be able to execute JavaScript code in a victim's browser. This can be achieved by enticing an unsuspecting user to visit a malicious site or by exploiting other latent cross-site scripting or HTML-injection vulnerabilities.

Remote attackers may leverage these classes of attacks to poison web caches, steal credentials, evade IDS signatures, and launch cross-site scripting, HTML-injection, and session-hijacking attacks. Other attacks are also possible.

Affected Products:

  • Avaya Messaging Application Server
  • Avaya Messaging Application Server MM 1.1
  • Avaya Messaging Application Server MM 2.0
  • Avaya Messaging Application Server MM 3.0
  • Avaya Messaging Application Server MM 3.1
  • HP Storage Management Appliance 2.1
  • HP Storage Management Appliance I
  • HP Storage Management Appliance II
  • HP Storage Management Appliance III
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Internet Explorer 7.0
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Vista
  • Microsoft Windows Vista Business
  • Microsoft Windows Vista Enterprise
  • Microsoft Windows Vista Home Basic
  • Microsoft Windows Vista Home Premium
  • Microsoft Windows Vista Ultimate
  • Microsoft Windows XP Home
  • Microsoft Windows XP Professional
  • Nortel Networks CallPilot 1002rp
  • Nortel Networks CallPilot 200i
  • Nortel Networks CallPilot 201i
  • Nortel Networks CallPilot 702t
  • Nortel Networks CallPilot 703t
  • Nortel Networks Centrex IP Client Manager 10.0
  • Nortel Networks Centrex IP Client Manager 11.0
  • Nortel Networks Centrex IP Client Manager 9.0
  • Nortel Networks Contact Center
  • Nortel Networks Contact Center Administration
  • Nortel Networks Contact Center Express
  • Nortel Networks Contact Center Manager Server
  • Nortel Networks Contact Center NCC

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.