Re: More reading of local files in MSIE

[Dave Ahmad <da () securityfocus com>]

Jelmer,

Exploitation is not limited to disclosing the contents of files on client
systems.  If your exploit page is modified so that a website is opened rather
than a local file, the calling script can access the properties of the
website.  The problem here is that IE6/5.5 does not properly enforce
the same origin policy.

I believe that this is just another way to exploit the same basic
(but extremely serious) problem that was reported by The Pull in this
post:

http://www.securityfocus.com/archive/1/246522

Also see this entry in the SecurityFocus Vulnerability Database:

http://www.securityfocus.com/bid/3721

I have not yet seen a public response from Microsoft.  According to The
Pull, they were notified (it also went over the list).

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Fri, 4 Jan 2002, jelmer wrote:

> More reading of local files in MSIE
>
> Description
>
>
> There is a security vulnerability in IE 5.5 and 6 (probably other
> versions as well) which allows reading and sending of local files.
> The problem lies in the fact that you are able to access a local file's
> dom by calling the execScript function on a newly created window
> The sample exploit provided can only read browser readable files however
> it is highly likely that reading binary files is possible as well
> (By attaching an event to the dom that calls the httpxmlcomponent, witch
> itself at the point of writing is still vulnerable as well)
> In order for this exploit to work the file name must be known.
>
> Risk
>
> High
>
> Systems affected:
>
> The vulnerability has been successfully exploited on
> IE 6 / Windows XP with all patches installed
> IE 5.5 / Windows ME