[7889] in bugtraq
Re: IE can read local files
daemon@ATHENA.MIT.EDU (Lynda L. True)
Sat Sep 5 15:06:57 1998
Date: Sat, 5 Sep 1998 11:13:36 -0700
Reply-To: "Lynda L. True" <shrdlu@PACBELL.NET>
From: "Lynda L. True" <shrdlu@PACBELL.NET>
To: BUGTRAQ@NETSPACE.ORG
Mike Dion wrote:
> Netscape Navigator Version 3.01 is vulnerable too...
> I didn't test any other netscape versions...
Netscape Navigator/Communicator 4.0.4 seems not to be, and it causes the
javascript error "JavaScript Error: illegal URL method 'file:' "
> At 04:33 98-09-05 -0400, Georgi Guninski wrote:
> >There is a bug in Internet Explorer 3, 4.0, 4.01 (for version information
> see Microsoft's info below),
> >which allows a specially designed web page to read text or HTML files from
> the user's computer
> >and send their contents to an arbitrary host, even if the user is behind
> firewall. The bug uses Javascript and
> >the file name and location must be known.
> >Demonstration of this is available at:
> http://www.geocities.com/ResearchTriangle/1711/good-read.html
> >
> >Workaround: Disable Javascript.
> >Microsoft has released a patch at:
> http://www.microsoft.com/security/bulletins/ms98-013.htm
> >
> >Georgi Guninski
> >http://www.geocities.com/ResearchTriangle/1711
--
17C1 6CBC 214C EF1E E28D 42FD 2B1E A12A FEF2 25AB (DiffieHellman)
Adapt or perish --------- Frank Baxter, Jeffries & Co.
shrdlu@pacbell.net, shrdlu@rocketmail.com, shrdlu@willow.sdd.trw.com
