Home page logo

bugtraq logo Bugtraq mailing list archives

IE6 Vulnerability - Local File Detection
From: ViPeR <viper31337 () yahoo co in>
Date: Tue, 7 Dec 2004 12:19:35 +0000 (GMT)

Affected Software : Microsoft Internet Explorer
Vulnerability : Local File Detection

Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]
according to windowsupdate.com

Discovered by : Gregory R. Panakkal

This security vulnerability in Internet Explorer
allows remote attackers to discover what software is
installed on the remote computer, by testing for the
existence of certain files. 

The "sysimage://" protocol is used to display the
appropriate icon corresponding to a  file path when
viewed from MSIE. The default behaviour is such, that
if a existing file-path is given as input, it displays
the approritate icon [as described above], but if the
file-path supplied doesn't exists, it loads the icon
of a folder instead [ie, it gives out no error].

But as always, there is a way to bypass it.. and let
us differentiate between a valid path and an invalid
one, and thus using the onLoad and onError event
handlers, the 'local file detection' is a piece of

There isn't much of a documentation on the net
regarding the "sysimage://", atleast google didn't
show up anything useful :(

Proof Of Concept

<img src="sysimage://C:\WINNT\Notepad.exe,666"
onLoad="document.write('<b>Cannot Find File!</b>');"
onError="document.write('<b>File Exists!</b>');">


A demonstration is available at the following URL.


Greetz to
Liu Die Yu, Rakesh Balasunder

Gregory R. Panakkal 
(aka JunkCode / Viper)

Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]