CVE-2009-2350

Vulnerability

Microsoft Internet Explorer 6 version 6.0.2900.2180 and earlier does not block javascript: URIs in the Refresh HTTP response header. This allows a remote attacker to perform cross-site scripting (XSS) attacks by injecting a Refresh header or controlling its content. The vulnerability is related to CVE-2009-1312 and affects IE6 exclusively (IE7 and IE8 are not vulnerable per the reference) [1][2].

Exploitation

The attacker needs to cause a target web server that reflects user input into a Refresh header—or a server that allows injection of response headers—to return a response with a header such as Refresh: 0; URL=javascript:alert(document.cookie). No authentication is required, and no user interaction beyond visiting the attacker-controlled or attacker-influenced page is needed. The attack works via common redirector scripts or any mechanism that produces a Refresh header containing attacker-supplied data [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the security context of the vulnerable web site's origin. This can lead to cookie theft, session hijacking, defacement, or other client-side attacks. The impact is limited to the confidentiality and integrity of the user's session with the affected site [1][2].

Mitigation

Microsoft Internet Explorer 6 is a legacy browser that reached end of life; no official patch was released for this specific vulnerability. Users are strongly advised to upgrade to a modern, supported browser such as Internet Explorer 7, Internet Explorer 8, or a current Edge/Chrome/Firefox release. Server operators should sanitize any user-supplied values placed in HTTP Refresh headers and avoid reflecting unvalidated input [1][2].