[23510] in bugtraq
MSIE6 can read local files
daemon@ATHENA.MIT.EDU (jelmer)
Sat Dec 15 14:17:12 2001
From: "jelmer" <jelmer@kuperus.xs4all.nl>
To: <bugtraq@securityfocus.com>
Cc: <Secure@microsoft.com>
Date: Sat, 15 Dec 2001 03:20:49 +0100
Message-ID: <000801c1850f$1fdaef50$5801a8c0@pluto>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Description
There is a bug in the Microsoft.XMLHTTP component shipped with Internet
Explorer 6 which allows reading and sending local files.
This component doesn't handle http redirects to local files properly
In order for this exploit to work the file name must be known.
The exploit doesn't distinguish between extensions, binary or textual
content witch makes it a high risk exploit in my book
Systems affected:
IE 6/ Win98
IE 6 /Windows XP
Probably other versions of windows ass well as it doesn't seem to be os
related- have not tested.
On IE 5.5 the exploit doesn't work, it seems to have a bug in its
implementation of the active X object used as it doesn't seem to follow
redirects (witch I guess they can call a feature now:p)
Vendor status:
I send microsoft a cc of my bugtraq post :)
A demonstration is available at http://www.xs4all.nl/~jkuperus/bug.htm
Workaround:
Disable active scripting
Then again if you are using Internet explorer you aren't really
concerned with security anyway now are you :p
I really think it's scary that someone like me can find something like
this with as little effort as it took
