Bugtraq mailing list archives
IE 5.01 vulnerabilities in external.NavigateAndFind()
From: joro () NAT BG (Georgi Guninski)
Date: Wed, 22 Dec 1999 15:49:44 +0200
IE 5.01 vulnerabilities in external.NavigateAndFind()
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose
other versions are also vulnerable)
allows circumventing "Cross frame security policy" by using
external.NavigateAndFind().
This exposes the whole DOM of the target document.
This allows reading local text and HTML files and files from any host
(suppose reading files of any type is possible), getting cookies (that
is dangerous because may get passwords, etc.) and other sensitive
information.
It is also possible in some cases to read files behind firewall.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.
Details:
window.external.NavigateAndFind() is used to search for strings in
specified URLs displaying the result in a specified frame.
The problem is it allows searching in "javascript:" URLs in a specified
frame.
In this case the code in the "javascript:" URL is executed in the
security context of the target frame
and the code has access to the document loaded in the target frame.
Examine the code below for more information.
The code is:
----------------------------------------------------------------------------------------
<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>
----------------------------------------------------------------------------------------
Workaround:
Disable Active Scripting
Demonstration is available at http://www.nat.bg/~joro/navan.html
Copyright 1999 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
Current thread:
- procmail / Sendmail - five bugs, (continued)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
- Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
- Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
- Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
- Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)
- Re-release of Microsoft Security Bulletin MS99-046 Microsoft Product Security (Dec 23)
- BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Yuri Kuzmenko (Dec 24)
- RealMedia Server 5.0 Crasher (rmscrash.c) bow (Dec 22)
- Re: procmail / Sendmail - five bugs Casper Dik (Dec 23)
- Re: SSH-1.2.27 & RSAREF2 exploit Wakko Ellington Warner-Warner III (Dec 15)
- Recent postings about SCO UnixWare 7 Andrew Malcolm (Dec 15)