Signature Detail
Short Name |
HTTP:STC:IE:CHROME-HTML-CMD-INJ |
|---|---|
Severity |
Medium |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Internet Explorer chromeHTML Command Line Parameter Injection |
Release Date |
2012/11/22 |
Update Number |
2205 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Internet Explorer chromeHTML Command Line Parameter Injection
This signature detects attempts to exploit a known vulnerability against Internet Explorer's "ChromeHTML" protocol handler. A successful attack can lead to arbitrary code execution.
Extended Description
Internet Explorer is prone to a vulnerability that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input. Exploiting this issue would permit remote attackers to influence command options that can be called through the vulnerable protocol handler and to execute commands with the privileges of a user running the application. Attackers may also be able to leverage this issue to execute arbitrary code with the privileges of the user running the vulnerable application. Internet Explorer 8 beta 2 is vulnerable; other versions may also be affected. This issue is being retired as a duplicate of BID 32997 (Google Chrome 'chromeHTML://' Command Line Parameter Injection Vulnerability).
Affected Products
- Microsoft Internet Explorer 8 Beta 2
References
- BugTraq: 32999
- CVE: CVE-2008-5750