Aviv Raff has published on his blog an interesting proof of concept of the vulnerability affecting Internet Explorer v7: a cross-site scripting in the navcancl.htm local resource.

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A PoC is available on the Aviv Raff’s website:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html
For those who do not have Internet Explorer 7, a video is also provided:
http://raffon.net/videos/ie7navcancl.wmv

Original News #1: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx by Aviv Raff

Original News #2: http://www.xssed.com/news/23/IE7_users_beware_of_Navigation_Canceled_errors/ by Kevin Fernandez

Trackback This Post | Subscribe to the comments through RSS Feed