IE About: script vulnerability

Thanks to Gomez for this one he found in a google groups search.
Info about vulnerability
Apparently the "about:" URL has some behavior that allows some cross-site cookie sharing. Interesting reading...
about with script
This URL will run the script code -- anything after about: will be interpreted as a "page" and run in IE. The cookie's defined with the about: URL are shareable between sites. See the above news posts for more info, including a reg change to put about: URLs in the "restricted sites" zone. (I think this prevents the cookie sharing as explained)

Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults and add a DWORD, name 'about', value '4'. This puts about: URLs in the Restricted Sites Zone. Hurrah!



Posted 2:43 PM    |    0 comments    |    Permalink