ZoneAlarm ShowHTMLDialog function obtain information

zonealarm-showhtmldialog-obtain-information (22971) The risk level is classified as MediumMedium Risk

Description:

ZoneAlarm could allow a remote attacker to obtain sensitive information. If the default Web browser has authorization to access the World Wide Web, a remote attacker can create a program that uses the ShowHTMLDialog() function to create a modal dialog box to display HTML, which can be used to redirect the victim to the attacker's Web site. The attacker can then obtain sensitive information and possibly send command instructions to the compromised system.


Consequences:

Obtain Information

Remedy:

No remedy available as of July 9, 2011.

References:

  • BugTraq Mailing List, Mon Nov 07 2005 - 12:46:04 CST: Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability.
  • Zone Labs Web site: Zone Labs: Zone Labs, Internet security products, online safety, software, protection.
  • BID-15347: Zone Labs Zone Alarm Advance Program Control Bypass Weakness
  • CVE-2005-3560: Zone Labs (1) ZoneAlarm Pro 6.0, (2) ZoneAlarm Internet Security Suite 6.0, (3) ZoneAlarm Anti-Virus 6.0, (4) ZoneAlarm Anti-Spyware 6.0 through 6.1, and (5) ZoneAlarm 6.0 allow remote attackers to bypass the Advanced Program Control and OS Firewall filters setting via URLs in HTML Modal Dialogs (window.location.href) contained within JavaScript tags.
  • OSVDB ID: 20677: ZoneAlarm ShowHTMLDialog() Outbound Filter Bypass
  • SA17450: ZoneAlarm Personal Firewall Program Control Feature Bypass

Platforms Affected:

  • CheckPoint ZoneAlarm 6.0
  • CheckPoint ZoneAlarm 6.0 Pro
  • CheckPoint ZoneAlarm Security Suite 6.0
  • ZoneLabs ZoneAlarm Anti-Spyware 6.0
  • ZoneLabs ZoneAlarm Anti-Spyware 6.1
  • ZoneLabs ZoneAlarm Antivirus 6.0

Reported:

Nov 07, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page