Bugtraq mailing list archives
Re: More reading of local files in MSIE
From: the Pull <osioniusx () yahoo com>
Date: Fri, 4 Jan 2002 17:19:57 -0800 (PST)
--- jelmer <jelmer () kuperus xs4all nl> wrote:
More reading of local files in MSIE Description There is a security vulnerability in IE 5.5 and 6 (probably other versions as well) which allows reading and sending of local files. The problem lies in the fact that you are able to access a local file's dom by calling the execScript function on a newly created window The sample exploit provided can only read browser readable files
It might be noted here that this tends to be "text/html", and probably the most single vulnerable filetype that is of this kind is of ".log" format. This means if you can read "c:\file.txt" you can also read Apache, IIS, database, Mirc, and whatever other type of .log files might be on someone's system except for one's locked by a system process. ... however, from looking at the source code it contains the same usage of document.write() which was in the bug I just released. Jelmer's: " extDoc = document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');" mine: var y = document.open( "c:/test.txt", "x", "width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes" ); It doesn't matter if it is "cmd = 'extDoc.execScript("alert(document.body.innerText)", "Jscript");';" that is able to read the code or this: setTimeout('alert(y.document.body.innerHTML);y.document.close();',1000); -- they are just the same thing. (ref: http://www.osioniusx.com document.write()) bug. Basically, the problem is that when the document.write() uses the window.open() method as described on the msdn website for the method here: http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp The actual exploit code doesn't really matter. I understand the misunderstanding because it is just simply such a common method.
however it is highly likely that reading binary files is possible as well (By attaching an event to the dom that calls the httpxmlcomponent, witch itself at the point of writing is still vulnerable as well) In order for this exploit to work the file name must be known. Risk High Systems affected: The vulnerability has been successfully exploited on IE 6 / Windows XP with all patches installed IE 5.5 / Windows ME Most likely other operating system / internet explorer versions are vulnerable as well I have not tested it though Vendor status: I send Microsoft a cc of my bugtraq post Example: A working example is available at http://www.xs4all.nl/~jkuperus/bug2.htm Workaround: Disable active scripting -- Insert some random nasty remarks about Microsoft at the dotted line
__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- More reading of local files in MSIE jelmer (Jan 04)
- Re: More reading of local files in MSIE Dave Ahmad (Jan 04)
- Re: More reading of local files in MSIE the Pull (Jan 05)