HTTP: Internet Explorer Local Web Folder
This signature detects Web pages with Web folders pointing to a client-side folder. Attackers can use a malicious Web page containing a client-side Web folder to install arbitrary files in sensitive locations on the client file system, for example, the startup folder. However, a specially crafted Web site could be using a client-side Web folder legitimately.
Extended Description
Microsoft Internet Explorer is reported prone to a vulnerability that may allow unauthorized installation of malicious executables. Proof-of-concepts have been released to demonstrate a vulnerability that may be exploited to entice a victim user to install a file on a victim's computer with some degree of user interaction. Specifically, an executable may be embedded in a Web page and presented as an image object to the user. Another frame can be loaded that references a folder on the victim's file system via the anchorClick style behavior. The page will be obfuscated in such a way as to disguise the fact that when the user clicks on the image object it will implicitly drag it to the folder that has been specified. It has been demonstrated that various other measures may be taken to limit the amount of user interaction required but the exploit hinges on the user interacting via mouse events with an object within the Web page that represents an executable to cause the executable to be moved to the folder that has been loaded in the obfuscated secondary frame. An attacker may exploit this vulnerability to influence a target victim into unknowingly installing software in a location on the computer such as the startup foler. If the malicious executable is placed in the startup folder, it will run when the system is restarted.
Affected Products
Avaya s8100_media_servers,Microsoft internet_explorer
References
BugTraq: 10973
CVE: CVE-2004-0839
URL: http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/anchor.asp
Short Name
HTTP:STC:IE:LOCAL-WEB-FOLDER
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2004-0839 Explorer Folder Internet Local Web bid:10973
Release Date
10/21/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Nortel_networks
Microsoft
Avaya
CVSS Score
5.0