--- jelmer <jelmerat_private> wrote: > > More reading of local files in MSIE > > Description > > > There is a security vulnerability in IE 5.5 and 6 > (probably other > versions as well) which allows reading and sending > of local files. > The problem lies in the fact that you are able to > access a local file's > dom by calling the execScript function on a newly > created window > The sample exploit provided can only read browser > readable files It might be noted here that this tends to be "text/html", and probably the most single vulnerable filetype that is of this kind is of ".log" format. This means if you can read "c:\file.txt" you can also read Apache, IIS, database, Mirc, and whatever other type of .log files might be on someone's system except for one's locked by a system process. ... however, from looking at the source code it contains the same usage of document.write() which was in the bug I just released. Jelmer's: " extDoc = document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');" mine: var y = document.open( "c:/test.txt", "x", "width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes" ); It doesn't matter if it is "cmd = 'extDoc.execScript("alert(document.body.innerText)", "Jscript");';" that is able to read the code or this: setTimeout('alert(y.document.body.innerHTML);y.document.close();',1000); -- they are just the same thing. (ref: http://www.osioniusx.com document.write()) bug. Basically, the problem is that when the document.write() uses the window.open() method as described on the msdn website for the method here: http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp The actual exploit code doesn't really matter. I understand the misunderstanding because it is just simply such a common method. >however > it is highly likely that reading binary files is > possible as well > (By attaching an event to the dom that calls the > httpxmlcomponent, witch > itself at the point of writing is still vulnerable > as well) > In order for this exploit to work the file name must > be known. > > Risk > > High > > Systems affected: > > The vulnerability has been successfully exploited on > IE 6 / Windows XP with all patches installed > IE 5.5 / Windows ME > > > Most likely other operating system / internet > explorer versions are > vulnerable as well I have not tested it though > > Vendor status: > > I send Microsoft a cc of my bugtraq post > > Example: > > A working example is available at > http://www.xs4all.nl/~jkuperus/bug2.htm > Workaround: > > Disable active scripting > > > -- Insert some random nasty remarks about Microsoft > at the dotted line > > > > __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 17:34:55 PST