Saturday, June 28, 2008

Internet Explorer 6 Window "location" Handling Vulnerability

Typical cross-site scripting (XSS) vulnerability found in IE6.

The vulnerability is caused due to an input validation error when handling the "location" or "location.href" property of a window object. This can be exploited by a malicious website to e.g. open a trusted site and execute arbitrary script code in a user"s browser session in context of the trusted site.



  • To company: Upgrade to IE7.

  • To user: Switch to Firefox.