COMMAND
Browsers below (javascript)
SYSTEMS AFFECTED
Internet Explorer 4.x & 5 and Netscape 4.5x, 4.x on Win9x
PROBLEM
Georgi Guninski found following. There is a design flaw in both
Internet Explorer 5.0 and Netscape Communicator 4.51 Win95 (guess
all 4.x versions of both browsers are vulnerable too) in the way
they handle bookmarks. The problem arises if the user bookmarks
(adds to favorites) and later chooses a specially designed
"javascript:" URL. When the bookmark is chosen later, the
JavaScript code in it is executed in the context (the same domain
and protocol) of the document opened prior to choosing the
bookmark. So, the JavaScript code has access to documents in the
same domain. An interesting case is choosing the bookmark when
the active document is a local file (the protocol is "file:") -
then the JavaScript code has access to local files and
directories. The vulnerabilities are more serious for Internet
Explorer 5.0. Some of the vulnerabilities follows.
For Internet Explorer 5.0:
- Reading local files if the filename is known;
- Reading files in the domain of the active document (even if
the web server is blocked by a firewall);
- Reading links in the active document and in documents in the
same domain; Web spoofing of documents in the domain of the
active document;
Demonstration is available at:
http://www.nat.bg/~joro/favorites.html
For Netscape Communcator 4.51:
- Browsing local directories;
- Reading local files in the directory of the active document;
- Reading links in the active document and in documents in the
same domain; Web spoofing of documents in the domain of the
active document;
Demonstration is available at:
http://www.nat.bg/~joro/bookmarks.html
SOLUTION
Workaround: Disable JavaScript or do not bookmark untrusted pages.
You can't reproduce this on IE 5.0 with SP5 (getting an error
message stating "Cannot find server or DNS error" after following
Georgi's instructions using TEST.TXT). Even pasting the entire
script in the address box fails to reproduce his described
effects.