COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE 5

PROBLEM

    Georgi Guninski  found following.   Internet Explorer  5.01  under
    Windows  98  (suppose  all  other  versions  are  also vulnerable)
    allows circumventing  "Cross frame  security policy"  by accessing
    the  DOM  of  documents  using  JavaScript,  IFRAME and WebBrowser
    control.  This  exposes the whole  DOM of the  target document and
    opens lots of  security risks.   This allows reading  local files,
    reading files  from any  host, window  spoofing, getting  cookies,
    etc.

    IFRAME seems to be some kind of wrapper of the WebBrowser  control
    and  its   events  may   be  captured.    The   problem  is    the
    NavigateComplete2 event, which when  fired, passes an argument  of
    WebBrowser  control.   The  WebBrowser  control  has an accessible
    property "document" that  allows access to  the DOM of  the target
    document.

    Note: this  is a  similar vulnerability  to the  one discovered by
    Andrew Nosenko (which is already fixed):

        http://oliver.efri.hr/~crv/security/bugs/NT/ie83.html

    The code is:

        <IFRAME  ID="I1"></IFRAME>
        <SCRIPT for=I1 event="NavigateComplete2(b)">
        alert("Here is your file:\n"+b.document.body.innerText);
        </SCRIPT>
        <SCRIPT>
        I1.navigate("file://c:/test.txt");
        setTimeout('I1.navigate("file://c:/test.txt")',1000);
        </SCRIPT>

    Demonstration is available at:

        http://www.nat.bg/~joro/frame2.html

SOLUTION

    Disable Active Scripting.