|
| |
|
Security Intelligence Operations
Microsoft Internet Explorer setRequestHeader() Request Handling HTTP Request Splitting and Smuggling Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Intercept/Monitoring/Traffic Analysis: Corruption |
|
| IntelliShield ID: | 15497 |
| Version: | 3 |
| First Published: | March 26, 2008 12:19 PM EDT |
| Last Published: | June 10, 2008 03:36 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-1544
,
CVE-2008-1545 |
| BugTraq ID: | 28379 |
| |
| Urgency: |
Unlikely Use
|  |
 | Credibility: |
Confirmed
|  |
| Severity: |
Mild Damage
|  |
| CVSS Base: | 4.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 3.2 |
|
|
| |
| Version Summary: | Microsoft has released a security bulletin and software updates to address the HTTP request splitting and smuggling vulnerability in Internet Explorer. |
| |
| |
| Description |
|
Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.
The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.
Microsoft has confirmed the vulnerability and released software updates. |
| |
| Warning Indicators |
|
Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 are vulnerable on the following operating systems:
- Windows 2000 SP4 and prior
- Windows XP SP3 and prior
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 for Itanium-based Systems SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
|
| |
| IntelliShield Analysis |
|
Typically, HTTP response smuggling and splitting vulnerabilities are not dangerous. However, an exploit of this vulnerability could be leveraged as a platform to allow an attacker to perform various other attacks against client and server systems, including cross-site scripting, proxy cache poisoning, session fixation, and cross-site request forgery attacks.
Because an attacker can control the header content that is sent by the user's browser and the location to which the headers are sent, an attacker could leverage this vulnerability to perform attacks against known vulnerabilities in third-party scripts or applications. This action may also allow the attacker to bypass same domain policies if both the attacker and the victims' sites reside on the same host.
User interaction is required to exploit this vulnerability because the attacker must convince a user to visit a malicious website. This aspect reduces the likelihood of attacks.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in the June 2008 Microsoft Security Bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for June 2008 |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin available at the following link: MS08-031 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit this vulnerability to perform HTTP request splitting and smuggling attacks, which could be leveraged to conduct cross-site scripting, proxy cache poisoning, session fixation, or firewall or filter protection bypass. The impact of exploit attempts will depend on the attack type and the affected host or network. |
| |
| Technical Information |
|
The vulnerability is due to an input validation error when processing user-supplied input via the setRequestHeader() method. An unauthenticated, remote attacker could exploit this vulnerability using the setRequestHeader() method to set the browser Transfer-Encoding: header to chunked. This action exposes the browser to HTTP request splitting and smuggling attacks. The attacker could leverage this behavior to use the setRequestHeader() method to overwrite certain headers that are sent to an attacked host, such as the Content-Length, Host, and Referer headers. Control of these values may allow the attacker to perform HTTP
request splitting attacks. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate update.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links from trusted sources prior to following them.
Users and administrators are advised to manually log out of websites, portals, or administrative interfaces when a session has been completed.
Users may consider utilizing a different web browser. |
| |
| Patches/Software |
|
|
Microsoft has released updated software at the following links:
Internet Explorer 5.01 SP4
Windows 2000 SP4
Internet Explorer 6 SP1
Windows 2000 SP4
Internet Explorer 6
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition SP2 and prior
Windows Server 2003 SP1 and SP2
Windows Server 2003 x64 Edition SP2 and prior
Windows Server 2003 with SP1 and SP2 for Itanium-based Systems
Internet Explorer 7
Windows XP SP2 and SP3
Windows XP Professional x64 Edition SP2 and prior
Windows Server 2003 SP1 and SP2
Windows Server 2003 x64 Edition SP2 and prior
Windows Server 2003 with SP1 and SP2 for Itanium-based Systems
Windows Vista SP1 and prior
Windows Vista x64 Edition SP1 and prior
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems |
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Version 2, April 2, 2008, 8:39 AM: IntelliShield is re-releasing this alert to include common vulnerability identification information.
Version 1, March 26, 2008, 12:19 PM: Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks. No updates are available. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
