COMMAND

	
		Accessing remote/local content via Internet Explorer (IE) XML parser
	
	

SYSTEMS AFFECTED

	
		All  tested  versions  of  Microsoft  Internet  Explorer  (IE5+);  prior
		versions may be vulnerable as well.
		

		Note that any other application that  uses  Internet  Explorer's  engine
		(WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).
	
	

PROBLEM

	
		GreyMagic Software in a GreyMagic Security advisory [GM#009-IE] :
		

		http://security.greymagic.com/adv/gm009-ie/

		

		

		Back in 1997, when Internet Explorer 4 was first released, XML was  just
		starting to become popular. The popularity of XML prompted Microsoft  to
		devise the early prototype of XML data-islands,  using  the  <script>
		element in conjunction with the "language" attribute set to "XML".
		

		When Internet Explorer 5 was released the  <script>  data-island  had
		been replaced with the more intuitive  <xml>  data-island.  But  even
		though the <script> syntax was now deprecated, Microsoft kept it  for
		the sake of backwards compatibility.
		

		 Discussion:

		 ===========

		

		By default the <script> data-island only allows URLs  from  the  same
		domain  as  the  document  to  be  assigned  to  its  "src"   attribute.
		Unfortunately, it  fails  to  correctly  validate  its  "src"  attribute
		against a redirection, which potentially allows any web page to  do  the
		following:
		

		* Read XML files from any URL.

		* Read portions of non-XML files from any URL.

		* Read local XML files, in some setups.

		* Read portions of local non-XML files, in some setups.

		

		Any  of  the  exploitations  above  may  expose  sensitive  and  private
		information belonging to the user.
		

		The <script> data-island can be exploited by assigning a URL  to  the
		"src" attribute, which will redirect to a local or remote location.  The
		XML engine will then process the content of that location.
		

		In case the location does not contain valid XML  content,  parts  of  it
		can still be read by  using  XMLDOM's  error  mechanism.  The  "srcText"
		property of the "parseError" object will contain the line of  text  that
		could not be parsed by the engine. If the content does not contain  line
		breaks at all then the entire content may be exposed.
		

		

		 Exploit:

		 ========

		

		This  example  reads  the  contents  of  a  remote  URL,   "getFile.asp"
		redirects to the desired location, allowing us to read it:
		

		<script language="xml" src="getFile.asp" id="oFile"></script>

		<script language="jscript">

		onload=function () {

		    var oXD=oFile.XMLDocument,

		        oPE=oXD.parseError;

		

		    alert(

		        oXD.firstChild || oPE.line>0 ?

		            "File found!\n"+

		            "Details:\n\n"+

		            (oXD.xml || "Line "+oPE.line+" contains '"+oPE.srcText+"'")

		        :

		            "File does not exist or could not be retrieved."

		    );

		}

		</script>

		

		

		

		A  fully  dynamic  proof-of-concept  demonstration  of  this  issues  is
		available at
		

		http://security.greymagic.com/adv/gm009-ie/

		

		

		
	
	

SOLUTION

	
		Microsoft was first informed  on  18  Feb  2002,  a  patch  was  finally
		released on 22 Aug 2002 after a long investigation and testing period.
		

		The patch may be downloaded from:
		

		http://www.microsoft.com/technet/security/bulletin/ms02-047.asp