COMMAND

	Internet Explorer local file reading

SYSTEMS AFFECTED

	ie 6 sp1 + all patches

PROBLEM

	jelmer [jelmer@kuperus.xs4all.nl] found :
	
	We already knew pressing the back button on IE is dangerous
	
	 http://online.securityfocus.com/archive/1/267561
	
	So it wont come as a total shock that so  is  clicking  a  link  :)  The
	problem lies in the dragdrop method  that  was  added  as  a  method  on
	nearly all HTML elements in ie5.5 This  method  makes  any  element  act
	like its being dragged.
	
	It is possible to abuse this behaviour to drop text  in  a  html  upload
	control thus allowing you to read any file from  an  unsuspecting  users
	harddisk. In order for it to be succesfull the name of the file must  be
	known
	
	basicly drag and dropping text takes a couple of steps
	
	- select text
	- press mouse
	- move mouse over over an element that can accept it
	- release mouse.
	
	It is possible to mimic all the above steps  but  the  pressing  of  the
	button by using javascript
	
	a demo is provided at
	
	 http://kuperus.xs4all.nl/security/ie/xfiles.htm
	
	it isn't very elegant but seems to work most of  the  time  (ie  acts  a
	little flakey at times), there are probably better ways to do it if  you
	know of any let me know ;)
	
	references:
	
	http://webreference.com/programming/javascript/dragdropie/3.html
	http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.asp
	
	
	 - Also -
	
	Andreas Sandblad
	
	    _     _
	  o' \,=./ `o
	     (o o)
	-ooO--(_)--Ooo- 
	
	adds :
	
	This is not the first time we have seen user interaction  problems  with
	the upload  control.  Maybe  you  remember:  "Pressing  CTRL  in  IE  is
	dangerous"
	
	 http://online.securityfocus.com/archive/1/283866
	 (Taking advantage of pasting. SHIFT also works because SHIFT-INSERT =CTRL-V)
	
	Btw, we only need to know the relative path. For example we can use:
	
	"..\\Cookies\\index.dat" 
	
	instead of
	
	"c:\\jelmer.txt"
	

SOLUTION

	None yet