COMMAND

    IE/Outlook Express

SYSTEMS AFFECTED

    IE 5.5/Outlook Express

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #22.
    Internet Explorer 5.5/Outlook Express/(probably Outlook if  Active
    Scripting is  enabled) under  Windows 98/2000  (suppose all  other
    versions are also vulnerable) allow reading local and UNC files.

    The problem is the GetObject() JScript function and the "htmlfile"
    ActiveX  object.   A  call  a=GetObject("c:\\test.txt","htmlfile")
    creates  a  HTML  document  object  with  full  access to its DOM.
    Examine the code for details.  The code is:

        ------getobject1.html--------------------------------
        <SCRIPT>
        alert("This script reads C:\\TEST.TXT\nYou may need to create it");
        a=GetObject("c:\\test.txt","htmlfile");
        setTimeout("alert(a.body.innerText);",2000);
        </SCRIPT>
        -----------------------------------------------------

    Demonstration is available at:

        http://www.guninski.com/getobject1.html

    Just a quick note: if you have configured explorer so that it asks
    you before executing ActiveX, it will prompt you before  executing
    the above script.  Tested on IE5.0/Win2000.

SOLUTION

    Disable Active Scripting.