[9242] in bugtraq
Javascript ecurity bug in Internet Explorer
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Wed Jan 27 11:10:34 1999
Date: Tue, 26 Jan 1999 08:46:03 PST
Reply-To: Georgi Guninski <guninski@HOTMAIL.COM>
From: Georgi Guninski <guninski@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
There is a Javascript security bug in Internet Explorer 4.01 (patched),
which circumvents "Cross-frame security" and opens several security
holes.
The problem is: if you add '%01someURL' after the URL, IE thinks that
the document is
loaded from the domain of 'someURL'. Very strange?
Some of the bugs are:
1) IE allows reading local files and sending them to an arbitrary
server.
The filename must be known.
The bug may be exploited using HTML mail message.
Demo is available at:
http://www.geocities.com/ResearchTriangle/1711/read3.html
This works on IE 4.0 also.
The javascript code is:
alert('Create a short file C:\\test.txt and its contents will be shown
in a dialog box.')
b=showModalDialog("about:<SCRIPT>a=window.open('file://c:/test.txt');s='Here
is your file:
\\n\\n'+a.document.body.innerText;alert(s);a.close();close()</"+"SCRIPT>%01file://c:/");
2) IE allows "window spoofing".
After visiting a hostile page (or clicking a hostile link) a window is
opened and its
location is a trusted site. However, the content of the window is not
that of the original site,
but it is supplied by the owner of the page. So, the user is misled he
is browising
a trusted site, while he is browsing a hostile page and may provide
sensitive information,
such as credit card number.
The bug may be exploited using HTML mail message.
Demo is available at:
http://www.geocities.com/ResearchTriangle/1711/read4.html
Workaround: Disable Javascript
Regards,
Georgi Guninski
TechnoLogica Ltd, Bulgaria
http://www.geocities.com/ResearchTriangle/1711
http://www.whitehats.com/guninski
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
