COMMAND

	Internet Explorer local file exposure

SYSTEMS AFFECTED

	 IE 6/ Win98

	 IE 6 /Windows XP 

	

PROBLEM

	jelmer found following :
	

	There is a bug in the Microsoft.XMLHTTP component shipped with  Internet
	Explorer 6 which allows reading and sending local files. This  component
	doesn\'t handle http redirects to local  files  properly  In  order  for
	this exploit to work the file name must be known. The  exploit  doesn\'t
	distinguish between extensions, binary or textual  content  witch  makes
	it a high risk exploit in my book
	

	A demonstration is available at http://www.xs4all.nl/~jkuperus/bug.htm

SOLUTION

	 Workaround

	 ==========

	

	Disable active scripting