IE 5.0 Vulnerable to HTTP Redirection
Reported November 4, 1999 by Georgio Guninski
Georgio Guninski discovered a problem with Internet Explorer 5.0 under Windows 95 and NT 4.0 (and perhaps Win98) that allows a remote user to read local text and HTML files and files from any domain. The reading of other file types may be possible as well, and window spoofing is also possible, as is reading files behind a firewall in some cases.
This vulnerability may be exploited using HTML email message or a newsgroup posting.
The problem is something like a race condition immediately after window.open("HTTP-redirecting-URL").
If you do:
Then you will have access to the redirected URL"s document using "b".
NOTE: "http://www.nat.bg/~joro/reject.cgi?test.txt" just does a HTTP redirect to: "file://c:/test.txt"
VENDOR RESPONSEMicrosoft is aware of the problem, however no response has been issued as of midday on November 4, 1999.
Reported by Georgio Guninski
Posted here at NTSecurity.NET on November 4, 1999