Vulnerability Name:

CVE-2005-4827 (CCN-22472)

Assigned:2005-09-26
Published:2005-09-26
Updated:2021-07-23
Summary:Internet Explorer 6.0, and possibly other versions, allows remote attackers to bypass the same origin security policy and make requests outside of the intended domain by calling open on an XMLHttpRequest object (Microsoft.XMLHTTP) and using tab, newline, and carriage return characters within the first argument (method name), which is supported by some proxy servers that convert tabs to spaces.
Note: this issue can be leveraged to conduct referer spoofing, HTTP Request Smuggling, and other attacks.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Data Manipulation
References:Source: CCN
Type: BugTraq Mailing List, Sat Sep 24 2005 - 12:50:30 CDT
"Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

Source: MITRE
Type: CNA
CVE-2005-4827

Source: FULLDISC
Type: Vendor Advisory
20070203 Web 2.0 backdoors made easy with MSIE & XMLHttpRequest

Source: CCN
Type: SA16942
Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection

Source: CCN
Type: OSVDB ID: 19662
Microsoft IE XMLHTTP HTTP Request Injection

Source: BUGTRAQ
Type: Exploit
20050924 "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

Source: BUGTRAQ
Type: UNKNOWN
20070204 Re: Web 2.0 backdoors made easy with MSIE & XMLHttpRequest

Source: BID
Type: UNKNOWN
14969

Source: CCN
Type: BID-14969
Microsoft Internet Explorer XmlHttpRequest Parameter Validation Weakness

Source: XF
Type: UNKNOWN
ie-activex-http-request-injection(22472)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2600:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2800:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:*:windows_2000:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2900.2180:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:*:windows_server_2003:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:windows_xp_sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:sp1:windows_98_se:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:sp1:windows_xpsp1:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:*:windows_server_2003:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:windows_2000_sp4:*:*:*:*:*:*
  • OR cpe:/h:canon:network_camera_server_vb101:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:*:windowsxp:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:windows_server_2003_sp1_itanium_systems:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:*:windows_server:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:*:windows_xp_professional_64bit:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp2:windows_xp:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:windows_xp:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:sp1:windows_millennium:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:windows_2000:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:*:microsoft_windows_server_2003_sp1:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:windows_server_2003_sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:windows_server_2003_sp1_itanium:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:sp1:windows_98:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6:windows_xp_sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2800.1106:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp2:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    microsoft internet explorer 6.0
    microsoft internet explorer 6.0.2600
    microsoft internet explorer 6.0.2800
    microsoft ie 6
    microsoft internet explorer 6.0.2900.2180
    microsoft ie 6.0
    microsoft ie 6.0 sp2
    microsoft ie 6.0 windows_xp_sp2
    microsoft ie 6 sp1
    microsoft ie 6 sp1
    microsoft ie 6
    microsoft ie 6 windows_2000_sp4
    canon network camera server vb101 *
    microsoft ie 6.0
    microsoft ie 6 windows_server_2003_sp1_itanium_systems
    microsoft ie 6.0
    microsoft ie 6.0 sp1
    microsoft internet explorer 6 sp1
    microsoft ie 6
    microsoft ie 6.0 sp2
    microsoft ie 6.0 sp1
    microsoft ie 6 sp1
    microsoft ie 6.0 sp1
    microsoft ie 6
    microsoft ie 6 windows_server_2003_sp1
    microsoft ie 6 windows_server_2003_sp1_itanium
    microsoft ie 6 sp1
    microsoft ie 6 windows_xp_sp2
    microsoft internet explorer 6.0.2800.1106
    microsoft ie 6.0
    microsoft ie 6.0 sp2