NVD Vulnerability Detail

CVE-2011-2383

Summary	Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.
Publication Date	June 4, 2011, 2:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:28 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:internet_explorer:8:::::::*
cpe:2.3:a:microsoft:internet_explorer:5:::::::*
cpe:2.3:a:microsoft:ie:9:beta::::::
cpe:2.3:a:microsoft:internet_explorer:7:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:::::::*
cpe:2.3:a:microsoft:internet_explorer:3.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:4.0:::::::*
cpe:2.3:a:microsoft:internet_explorer::::::::		9

Related information, measures and tools

No	URL	refsource	タグ
1	http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
2	http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt
3	http://news.cnet.com/8301-1009_3-20066419-83.html
4	http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
5	http://www.informationweek.com/news/security/vulnerabilities/229700031
6	http://www.networkworld.com/community/node/74259
7	http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
8	http://www.youtube.com/watch?v=V95CX-3JpK0
9	http://www.youtube.com/watch?v=VsSkcnIFCxM
10	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057
11	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820
12	https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt
13	http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
14	https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt
15	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820
16	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057
17	http://www.youtube.com/watch?v=VsSkcnIFCxM
18	http://www.youtube.com/watch?v=V95CX-3JpK0
19	http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
20	http://www.networkworld.com/community/node/74259
21	http://www.informationweek.com/news/security/vulnerabilities/229700031
22	http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
23	http://news.cnet.com/8301-1009_3-20066419-83.html
24	http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

Microsoft Internet Explorer における Cookie を読まれる脆弱性

Title	Microsoft Internet Explorer における Cookie を読まれる脆弱性
Summary	Microsoft Internet Explorer は、クロスゾーンのドラッグ＆ドロップ操作を適切に制限しないため、Cookie を読まれる脆弱性が存在します。
Possible impacts	攻撃者により、Cookie を読まれる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 9, 2011, midnight
Registration Date	Aug. 26, 2011, 10:17 a.m.
Last Update	Aug. 26, 2011, 10:17 a.m.

Affected System

マイクロソフト

Microsoft Internet Explorer 6

Microsoft Internet Explorer 7

Microsoft Internet Explorer 8

Microsoft Internet Explorer 9

Microsoft Windows 7 (x32)

Microsoft Windows 7 (x64)

Microsoft Windows Vista

Microsoft Windows Vista (x64)

Microsoft Windows XP (x64)

Microsoft Windows XP sp3

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-2383	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2383
National Vulnerability Database (NVD)
2	CVE-2011-2383	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2383

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Microsoft Security Bulletin
1	MS11-057	http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx
マイクロソフトセキュリティ情報
2	MS11-057	http://www.microsoft.com/japan/technet/security/bulletin/MS11-057.mspx
富士通セキュリティ情報
3	TA11-221A	http://software.fujitsu.com/jp/security/vulnerabilities/ta11-221a.html

その他

No	Name	URL
JPCERT 緊急報告
1	JPCERT-AT-2011-0021	http://www.jpcert.or.jp/at/2011/at110021.txt
JVN
2	JVNTA11-221A	http://jvn.jp/cert/JVNTA11-221A
OPEN SOURCE VULNERABILITY DATABASE (OSVDB)
3	72724	http://osvdb.org/72724
Secunia Advisory
4	SA19057	http://secunia.com/advisories/19057
5	SA45565	http://secunia.com/advisories/45565
SecurityFocus
6	47989	http://www.securityfocus.com/bid/47989
SecurityTracker
7	1025893	http://www.securitytracker.com/id?1025893
US-CERT Cyber Security Alerts
8	SA11-221A	http://www.us-cert.gov/cas/alerts/SA11-221A.html
US-CERT Technical Cyber Security Alert
9	TA11-221A	http://www.us-cert.gov/cas/techalerts/TA11-221A.html
警察庁 @police
10	マイクロソフト社のセキュリティ修正プログラムについて(MS11-057,058,059,060,061,062,063,064,065,066,067,068,069)(2011年08月10日)	http://www.npa.go.jp/cyberpolice/#topics

Change Log

No	Changed Details	Date of change
0	[2011年08月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:internet_explorer:8:::::::*
cpe:2.3:a:microsoft:internet_explorer:5:::::::*
cpe:2.3:a:microsoft:ie:9:beta::::::
cpe:2.3:a:microsoft:internet_explorer:7:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:::::::*
cpe:2.3:a:microsoft:internet_explorer:3.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:4.0:::::::*
cpe:2.3:a:microsoft:internet_explorer::::::::		9