OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: jelmer (jelmerkuperus.xs4all.nl)
Date: Fri Dec 14 2001 - 20:20:49 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Description

    There is a bug in the Microsoft.XMLHTTP component shipped with Internet
    Explorer 6 which allows reading and sending local files.
    This component doesn't handle http redirects to local files properly
    In order for this exploit to work the file name must be known.
    The exploit doesn't distinguish between extensions, binary or textual
    content witch makes it a high risk exploit in my book

    Systems affected:

    IE 6/ Win98
    IE 6 /Windows XP
    Probably other versions of windows ass well as it doesn't seem to be os
    related- have not tested.
    On IE 5.5 the exploit doesn't work, it seems to have a bug in its
    implementation of the active X object used as it doesn't seem to follow
    redirects (witch I guess they can call a feature now:p)

    Vendor status:

    I send microsoft a cc of my bugtraq post :)

    A demonstration is available at http://www.xs4all.nl/~jkuperus/bug.htm

    Workaround:

    Disable active scripting

    Then again if you are using Internet explorer you aren't really
    concerned with security anyway now are you :p
    I really think it's scary that someone like me can find something like
    this with as little effort as it took