TUCoPS :: Windows Apps :: win5232.htm

CSS and Active Scripting enabled allows access to local files
3rd Apr 2002 [SBWID-5232]
COMMAND

	CSS and Active Scripting enabled allows access to local files

SYSTEMS AFFECTED

	 IE5sp2 NT4 sp6a, all patches.

	 IE5.5sp2 Win98, all patches.

	 IE5.5sp2 NT4 sp6a, all patches.

	 IE6sp1 Win2000 sp2, all patches.

	 IE6sp1 WinXP, all patches.

	

PROBLEM

	In     GreyMagic     Software     [security@greymagic.com]      advisory
	[http://security.greymagic.com/adv/gm004-ie/] :
	

	CSS can be embedded in a number of ways,  one  of  them  is  to  use  an
	external file and link it to a document; this is done by  utilizing  the
	<link> element or the seldom used @import CSS rule.
	

	Using the cssText property of the styleSheet object it  is  possible  to
	read  portions  (and  sometimes  whole)  files,  from  local  or  remote
	locations.
	

	Almost any file that contains a curly-bracket (\"{\") character will  be
	parsed by IE\'s CSS engine, it is then possible to  read  parts  of  the
	content using the cssText property.
	

	The problem is that invalid CSS attributes are kept within  the  cssText
	property even though they have no  functional  use,  allowing  malicious
	programmers access to that content.
	

	The problem is very apparent in C-style  code  files  (Java,  Perl,  C#,
	etc.) and  in  configurations  for  many  services  (such  as  DNS,  for
	example).
	

	[1] CSS: http://www.w3.org/TR/REC-CSS2/.

	[2] <link> element:

	http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/link.asp.

	[3] @import rule:

	http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/import.

	asp.

	[4] cssText property:

	http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/csstext

	.asp.

	[5] styleSheet object:

	http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/obj_styles

	heet.asp.

	

	

	 Exploit:

	 ========

	

	This example attempts to read content from \"c:/test.txt\".
	

	<link id=\"oFile\" rel=\"stylesheet\" href=\"file://c:/test.txt\" disabled>

	<script language=\"jscript\">

	onload=function () {

	    alert(document.styleSheets.oFile.cssText || \"Could not extract any text

	from file.\");

	}

	</script>

	

	

	A  fully  dynamic  proof-of-concept  demonstration  of  this  issue   is
	available at http://security.greymagic.com/adv/gm004-ie/.

SOLUTION

	Until a patch becomes  available  the  only  workaround  is  to  disable
	Active Scripting.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH