mailing list archives
IE 5.5 Cross Frame security vulnerability - Web Browser Control's Navigate method
From: Georgi Guninski <joro () NAT BG>
Date: Mon, 4 Sep 2000 16:26:17 +0300
Georgi Guninski security advisory #20, 2000
IE 5.5 Cross Frame security vulnerability - Web Browser Control's
IE 5.5/Win98. Probably other versions - have not tested.
Date: 4 September 2000
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Internet Explorer 5.5 under Windows 98 (suppose all other versions are
allows circumventing "Cross frame security policy" by accessing the DOM
This exposes the whole DOM of the target document and opens lots of
This allows reading local files, reading files from any host, window
spoofing, getting cookies, etc.
Reading cookies from arbitrary hosts is dangerous, because some sites
already opened documents
by using its Navigate method.
the target document and has full access to its DOM.
First, a target document is opened in a new named window and then Web
Browser's control Navigate method
Examine the code for details.
The code is:
alert("This script reads C:\\TEST.TXT\nYou may need to create it");
Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html
Workaround: Disable Active Scripting
- IE 5.5 Cross Frame security vulnerability - Web Browser Control's Navigate method Georgi Guninski (Sep 05)