Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: internet explorer local file reading

From: Andreas Sandblad <sandblad () acc umu se>
Date: Mon, 3 Feb 2003 20:10:51 +0100 (CET)
Nice Jelmer.

First of all, I can confirm it on Win2000 pro, IE 6 SP1.

This is not the first time we have seen user interaction
problems with the upload control. Maybe you remember:
"Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
(Taking advantage of pasting. SHIFT also works because SHIFT-INSERT =
CTRL-V)

Btw, we only need to know the relative path. For example we can use:
"..\\Cookies\\index.dat" instead of "c:\\jelmer.txt"

/Andreas Sandblad

On Mon, 3 Feb 2003, jelmer wrote:


 We allready knew pressing the back button on IE is dangerous
(http://online.securityfocus.com/archive/1/267561)  So it wont come as a
total shock
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
being dragged.

It is possible to abuse this behaviour to drop text in a html upload control
thus
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known

basicly drag and dropping text takes a couple of steps

- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.

It is possible to mimic all the above steps but the pressing of the button
by using
javascript

a demo is provided at

http://kuperus.xs4all.nl/security/ie/xfiles.htm

it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there  are probably better ways to do it  if you know of any let me know ;)


it was tested on ie 6 sp1 + all patches

Microsoft was notified a couple of days back, haven't recieved anything back
yet

If you want to protect yourself against this disable active scripting


references:

http://webreference.com/programming/javascript/dragdropie/3.html
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a
sp



-- 
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-
Previous By Date Next
Previous By Thread Next

Current thread: