Bugtraq mailing list archives

Re: IE can read local files

From: shrdlu () PACBELL NET (Lynda L. True)
Date: Sat, 5 Sep 1998 11:13:36 -0700


Mike Dion wrote:

Netscape Navigator Version 3.01 is vulnerable too...
I didn't test any other netscape versions...


Netscape Navigator/Communicator 4.0.4 seems not to be, and it causes the
javascript error "JavaScript Error: illegal URL method 'file:' "

At 04:33 98-09-05 -0400, Georgi Guninski wrote:

There is a bug in Internet Explorer 3, 4.0, 4.01 (for version information

see Microsoft's info below),

which allows a specially designed web page to read text or HTML files from

the user's computer

and send their contents to an arbitrary host, even if the user is behind

firewall. The bug uses Javascript and

the file name and location must be known.

Demonstration of this is available at:

http://www.geocities.com/ResearchTriangle/1711/good-read.html


Workaround: Disable Javascript.
Microsoft has released a patch at:

http://www.microsoft.com/security/bulletins/ms98-013.htm


Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711


--
17C1 6CBC 214C EF1E E28D  42FD 2B1E A12A FEF2 25AB (DiffieHellman)
Adapt or perish  ---------  Frank Baxter, Jeffries & Co.
shrdlu () pacbell net, shrdlu () rocketmail com, shrdlu () willow sdd trw com

Current thread:

IE can read local files Georgi Guninski (Sep 05)
- <Possible follow-ups>
- Re: IE can read local files Mike Dion (Sep 05)
- Re: IE can read local files Lynda L. True (Sep 05)
- Re: IE can read local files Steve Moyzis (Sep 05)
- Re: IE can read local files Thomas Davis (Sep 08)