The Cuartango Security Hole in IE4

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Sun, 11 Oct 1998 15:17:41 -0400
From: Richard M. Smith <rms () PHARLAP COM>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: The Cuartango Security Hole in IE4

Hello,

Juan Carlos G. Cuartango of Spain has discovered an
extremely serious security hole in Internet Explorer 4.  With
a small amount of JavaScript code on a Web page, a Web
site operator can steal any file from a user's
hard disk and automatically uploaded the contents to a Web server.
More worrisome is that fact that the security hole
can be also exploited in an HTML-based Email message
in Outlook Express.  Simply by reading a booby-trapped
Email message, private files can be stolen from one's
hard disk.  Most computer users, I suspect, will consider
this unacceptable product defect.

Details of the security hole were posted late last week at
Mr. Cuartango Web site:

     http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html

The Web site also contains a demo of the security problem.

The demo is based on a standard file uploader HTML form. Normally
only the user can manullay set the name of the file to uploaded
but IE4 inadvertently allows JavaScript to execute cut and paste functions to set the
file name.  After the file name is set, JavaScript auto-submits the
form to upload the file.

I've tested the demo on three different systems and it worked
on two of them.  The one system in which the demo failed
was running the original release of IE4 which came out September
of last year.  The two systems in which the demo worked
on were running IE 4.01 which started shipping earlier this
year.  The demo appears to work both on Windows 95 and
Windows 98.  It should also work on Windows NT, but I haven't
had time to test it.

The bug is also reported to be present in the preview version of IE5.

According to Juan Carlos's Web site, Microsoft has confirmed
the bug and is looking now how to fix it.

Richard M. Smith
rms () pharlap com