Reported September 26, 2000 by Georgi Guninski

VERSIONS AFFECTED
  • Internet Explorer 5.5, Outlook Express 5.5

DESCRIPTION

A bug found in Internet Explorer and Outlook Express 5.5 makes is possible for a person to remotely read files and local and mapped (UNC) drives.

DEMONSTRATION

By exploiting the functionality of the GetObject () JScript and the "htmlfile" ActiveX object a remote user could read files.  Example HTML as provided by Georgi Guninski is as follows;

VENDOR RESPONSE

It is unconfirmed if Microsoft has been made aware of this issue.  A suggested workaround is to disable active scripting.

CREDIT
Discovered by
Georgi Guninski