If you look under scripting options in security settings there is the option "Allow paste via script" simply turning this to disabled provides this result: <paste> See the contents of your file among the other stuff ---------------------------------------------------------------------------- ---- -----------------------------7cf26c3b6a8 Content-Disposition: form-data; name = "a"; filename="" Content-Type: application/octet-stream -----------------------------7cf26c3b6a8-- </paste> which as far as I see has disabled the reading of local files and is a little less drastic than disabling all JavaScript. Regards, Andrew Tulloch > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Georgi > Guninski > Sent: 30 March 1999 17:35 > To: BUGTRAQat_private > Subject: IE 5.0 allows reading and sending local files to a remote > server > > > There is a security bug in Internet Explorer 5.0, which allows reading > and > sending local files to a remote server. > The problem is a bug in the DHTML edit control, which allows pasting a > filename in a FILE object. When the form is submitted via JavaScript, > the > contents of the file are sent to a remote server. > > Demonstration is available at: http://www.nat.bg/~joro/fr.html > > Workaround: Disable JavaScript > > I would like to thank Juan Cuartango > (http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE > exploits, > which helped me a lot for discovering this vulnerability! > > Regards, > Georgi Guninski > http://www.nat.bg/~joro >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:11 PDT