Old XMLHTTP HTTP Request flaw in MSIE raising interest
Sometimes old, unpatched vulnerabilities are raising interest in security community without media attention. It seems that one of these issues is old Microsoft Internet Explorer “XMLHTTP” HTTP Request Injection vulnerability listed at Danish Secunia’s Web site.
Company’s advisory SA16942 is one of the advisories listed at Top 5 Most Read Secunia Security Advisories section at Secunia’s Advisories page. This list is automatically updated about advisories read during the last 24 hours, says the title field.
From the Description:
Amit Klein has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks.
Mr. Klein itself uses the term Referrer Spoofing.
Input passed to the method parameter in the “open()” function in the “Microsoft.XMLHTTP” ActiveX control isn’t properly sanitised before being used in a HTTP request. This can be exploited to inject arbitrary HTTP requests via specially crafted input containing tab and newline characters (spaces are not allowed).
This vulnerability was reported to Secunia on September 26th, 2005. It is more than five months ago.
Secunia lists workaround-type solution: “Set security level to ‘High’.”
There is no CVE entry listed in the advisory.
All others advisories at the list are typical, popular issues like new OS X patches (Apple Security Update 2006-001) and WordPress XSS vulnerability published yesterday. OS X advisories are very new and recently updated too.
According to the OSVDB ID #19662 this issue was reported to BugTraq list via this message, including several recommendations to site owners and vendors and six coverage references. Reportedly this issue is similar than fixed in Firefox 1.0.7, see www.mozilla.org/security/announce/mfsa2005-58.html.
March 3rd @09:30 UTC: Sun Solaris Multiple Apache Vulnerabilities has replaced this advisory’s 4th position, #16942 is now the fifth.