IE7 users: beware of "Navigation Canceled" errors!

Written by KF

Thursday, 15 March 2007

Did you feel secure with your brand new Internet Explorer 7? Well, Aviv Raff published on his blog an interesting vulnerability affecting it: a cross-site scripting in the navcancl.htm local resource.

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A proof of concept is available on the researcher's web site:
For those who do not have Internet Explorer 7, a video is also provided:

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.