COMMAND

	 IE/Outlook Express

	

	

SYSTEMS AFFECTED

	 IE 5.5/Outlook Express

	 Patched IE 6.0, somewhat patched 5.5 Win2K

	

	

	

PROBLEM

	    Following is  based on  a Georgi  Guninski security  advisory #22.

	    Internet Explorer 5.5/Outlook Express/(probably Outlook if  Active

	    Scripting is  enabled) under  Windows 98/2000  (suppose all  other

	    versions are also vulnerable) allow reading local and UNC files.

	

	    The problem is the GetObject() JScript function and the \"htmlfile\"

	    ActiveX  object.   A  call  a=GetObject(\"c:\\test.txt\",\"htmlfile\")

	    creates  a  HTML  document  object  with  full  access to its DOM.

	    Examine the code for details.  The code is:

	
	        ------getobject1.html--------------------------------

	        <SCRIPT>

	        alert(\"This script reads C:\\TEST.TXTnYou may need to create it\");

	        a=GetObject(\"c:\\test.txt\",\"htmlfile\");

	        setTimeout(\"alert(a.body.innerText);\",2000);

	        </SCRIPT>

	        -----------------------------------------------------

	

	    Demonstration is available at:

	
	        http://www.guninski.com/getobject1.html

	

	    Just a quick note: if you have configured explorer so that it asks

	    you before executing ActiveX, it will prompt you before  executing

	    the above script.  Tested on IE5.0/Win2000.

	

	 Update

	 ======

	

	If you replace the function  with
	

	a=GetObject(\"http://\"+location.host+\"/../../../../../../test.txt\",\"htmlfile\");

	

	latest version (IE6.0) is still vulnerable

SOLUTION

	    Disable Active Scripting.