COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.5

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #20.
    Internet Explorer 5.5 under Windows 98 (suppose all other versions
    are also  vulnerable) allows  circumventing "Cross  frame security
    policy"  by  accessing  the  DOM  of  documents  using  JavaScript
    and WebBrowser control.  This exposes the whole DOM of the  target
    document and opens  lots of security  risks.  This  allows reading
    local  files,  reading  files  from  any  host,  window  spoofing,
    getting cookies,  etc.   Reading cookies  from arbitrary  hosts is
    dangerous, because some sites use cookies for authentication.

    The problem  is Web  Browser's control  allows opening javascript:
    URLs in  already opened  documents by  using its  Navigate method.
    The  code  in  the  javascript:  URLs  is executed in the security
    context of  the target  document and  has full  access to its DOM.
    First, a target document is opened in a new named window and  then
    Web  Browser's  control  Navigate  method  is  invoked  to  open a
    javascript:  URLs  in the target  named window.   Examine the code
    for details.

    The code is:

        <object id=web2 classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2">
        </object>
        <SCRIPT>
        alert("This script reads C:\\TEST.TXT\nYou may need to create it");
        a=window.open("file://c:/test.txt","A");
        setTimeout('web2.Navigate("javascript:alert(document.body.innerText)","","A");',2000);
        </SCRIPT>

    Demonstration is available at:

        http://www.nat.bg/~joro/webctrl1.html

SOLUTION

    Workaround: Disable Active Scripting