Re: More reading of local files in MSIE

From: Dave Ahmad (da@securityfocus.com)
Date: 01/05/02


Date: Fri, 4 Jan 2002 17:47:52 -0700 (MST)
From: Dave Ahmad <da@securityfocus.com>
To: jelmer <jelmer@kuperus.xs4all.nl>

Jelmer,

Exploitation is not limited to disclosing the contents of files on client
systems. If your exploit page is modified so that a website is opened rather
than a local file, the calling script can access the properties of the
website. The problem here is that IE6/5.5 does not properly enforce
the same origin policy.

I believe that this is just another way to exploit the same basic
(but extremely serious) problem that was reported by The Pull in this
post:

http://www.securityfocus.com/archive/1/246522

Also see this entry in the SecurityFocus Vulnerability Database:

http://www.securityfocus.com/bid/3721

I have not yet seen a public response from Microsoft. According to The
Pull, they were notified (it also went over the list).

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Fri, 4 Jan 2002, jelmer wrote:

> More reading of local files in MSIE
>
> Description
>
>
> There is a security vulnerability in IE 5.5 and 6 (probably other
> versions as well) which allows reading and sending of local files.
> The problem lies in the fact that you are able to access a local file's
> dom by calling the execScript function on a newly created window
> The sample exploit provided can only read browser readable files however
> it is highly likely that reading binary files is possible as well
> (By attaching an event to the dom that calls the httpxmlcomponent, witch
> itself at the point of writing is still vulnerable as well)
> In order for this exploit to work the file name must be known.
>
> Risk
>
> High
>
> Systems affected:
>
> The vulnerability has been successfully exploited on
> IE 6 / Windows XP with all patches installed
> IE 5.5 / Windows ME