Re: More reading of local files in MSIE

From: Dave Ahmad (da@securityfocus.com)
Date: 01/05/02 

Date: Fri, 4 Jan 2002 17:47:52 -0700 (MST)
From: Dave Ahmad <da@securityfocus.com>
To: jelmer <jelmer@kuperus.xs4all.nl>

Jelmer,

Exploitation is not limited to disclosing the contents of files on client
systems. If your exploit page is modified so that a website is opened rather
than a local file, the calling script can access the properties of the
website. The problem here is that IE6/5.5 does not properly enforce
the same origin policy.

I believe that this is just another way to exploit the same basic
(but extremely serious) problem that was reported by The Pull in this
post:

http://www.securityfocus.com/archive/1/246522

Also see this entry in the SecurityFocus Vulnerability Database:

http://www.securityfocus.com/bid/3721

I have not yet seen a public response from Microsoft. According to The
Pull, they were notified (it also went over the list).

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Fri, 4 Jan 2002, jelmer wrote:

> More reading of local files in MSIE
>
> Description
>
>
> There is a security vulnerability in IE 5.5 and 6 (probably other
> versions as well) which allows reading and sending of local files.
> The problem lies in the fact that you are able to access a local file's
> dom by calling the execScript function on a newly created window
> The sample exploit provided can only read browser readable files however
> it is highly likely that reading binary files is possible as well
> (By attaching an event to the dom that calls the httpxmlcomponent, witch
> itself at the point of writing is still vulnerable as well)
> In order for this exploit to work the file name must be known.
>
> Risk
>
> High
>
> Systems affected:
>
> The vulnerability has been successfully exploited on
> IE 6 / Windows XP with all patches installed
> IE 5.5 / Windows ME

Relevant Pages

  • RE: PT Activity duration/time
    ... Vulnerability Exploitation. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • WMF FIX
    ... was recently discovered in windows that affects all version of Windows to ... This vulnerability can be exploited simply by having an image ... Our installer has ... to our website from his own. ...
    (microsoft.public.security)
  • wmf temp fix
    ... was recently discovered in windows that affects all version of Windows to ... This vulnerability can be exploited simply by having an image ... Our installer has ... to our website from his own. ...
    (microsoft.public.windowsxp.security_admin)
  • Security Pop-up
    ... I keep getting a pop up saying I need to download a patch ... because my Windows XP has a vulnerability. ... the website, which is www.windowspatch.net, it then asks ... reformatted my hard drive and reinstalled Windows XP so I ...
    (microsoft.public.security)
  • IFRAME Buffer Overflow Vulnerability
    ... I received a notice of a new vulnerability for IE and I can't find a solution ... on Microsoft's website. ... new browser, this is for IE using Windows 2000. ...
    (microsoft.public.windows.inetexplorer.ie6.ieak)