Microsoft IE JavaScript script src Local File Enumeration

2002-01-03T00:00:00
ID OSVDB:3034
Type osvdb
Reporter Tom Micklovitch()
Modified 2002-01-03T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer allows a remote attacker to verify the existance of a file on a vulnerable machine. This information disclosure is due to the way JavaScript returns error messages when it attempts to access a file. Using the "OnError" even handler, calls to a local file will result in an error message that verifies it's existance.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Microsoft Internet Explorer allows a remote attacker to verify the existance of a file on a vulnerable machine. This information disclosure is due to the way JavaScript returns error messages when it attempts to access a file. Using the "OnError" even handler, calls to a local file will result in an error message that verifies it's existance.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0019.html Mail List Post: http://lists.darklab.org/pipermail/darklab/2007-February/000275.html ISS X-Force ID: 7784 Bugtraq ID: 3779