[10505] in bugtraq

home help back first fref pref prev next nref lref last post

Bookmarks security vulnerabilities in both Internet Explorer 5.0

daemon@ATHENA.MIT.EDU (Georgi Guninski)
Sun May 9 23:35:04 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <37359CE2.9CAA0066@nat.bg>
Date: 	Sun, 9 May 1999 17:34:10 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@NETSPACE.ORG

There is a design flaw in both Internet Explorer 5.0 and Netscape
Communicator 4.51 Win95
(guess all 4.x versions of both browsers are vulnerable too) in the way
they handle
bookmarks.
The problem arises if the user bookmarks (adds to favorites) and later
chooses a specially designed
"javascript:" URL. When the bookmark is chosen later, the JavaScript
code in it
is executed in the context (the same domain and protocol) of the
document
opened prior to choosing the bookmark. So, the JavaScript code has
access to
documents in the same domain. An interesting case is choosing the
bookmark
when the active document is a local file (the protocol is "file:") -
then the
JavaScript code has access to local files and directories.
The vulnerabilities are more serious for Internet Explorer 5.0.

Some of the vulnerabilities are:

 For Internet Explorer 5.0:
  Reading local files if the filename is known;
  Reading files in the domain of the active document (even if the web
server is blocked by a firewall);
  Reading links in the active document and in documents in the same
domain;
  Web spoofing of documents in the domain of the active document;

  Demonstration is available at: http://www.nat.bg/~joro/favorites.html

 For Netscape Communcator 4.51:
  Browsing local directories;
  Reading local files in the directory of the active document;
  Reading links in the active document and in documents in the same
domain;
  Web spoofing of documents in the domain of the active document;

  Demonstration is available at: http://www.nat.bg/~joro/bookmarks.html

Workaround: Disable JavaScript or do not bookmark untrusted pages

Georgi Guninski
 http://www.nat.bg/~joro
 http://www.whitehats.com/guninski

home help back first fref pref prev next nref lref last post