|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
IE 5.01 vulnerabilities in external.NavigateAndFind()
Subject: IE 5.01 vulnerabilities in external.NavigateAndFind()
From: Georgi Guninski (joro
NAT.BG)
Date: Wed Dec 22 1999 - 08:09:35 CST
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS99-060)"
- Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS99-058)"
- Next in thread: Maxime Rousseau: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: Maxime Rousseau: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: is15758: "FW: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: Chayka Sergey Alexandrovich: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
IE 5.01 vulnerabilities in external.NavigateAndFind()
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program. Georgi
Guninski, bears NO responsibility for content or misuse of this program
or any derivatives thereof.
Description:
Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose
other versions are also vulnerable) allows circumventing "Cross frame
security policy" by using external.NavigateAndFind().
This exposes the whole DOM of the target document.
This allows reading local text and HTML files and files from any host
(suppose reading files of any type is possible),
getting cookies (that is dangerous because may get passwords, CC #s,
etc.) and other sensitive information.
It is also possible in some cases to read files behind firewall.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.
Details:
window.external.NavigateAndFind() is used to search for strings in
specified URLs displaying the result in a specified frame.
The problem is it allows searching in "javascript:" URLs in a specified
frame.
In this case the code in the "javascript:" URL is executed in the
security context of the target frame and the code has access to the
document loaded in the target frame.
Examine the code below for more information.
The code is:
----------------------------------------------------------------------------------------
<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<SCRIPT>
function f()
{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
}
setTimeout("f()",2000);
</SCRIPT>
----------------------------------------------------------------------------------------
Workaround:
Disable Active Scripting
Demonstration is available at http://www.nat.bg/~joro/navan.html
Copyright 1999 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS99-060)"
- Previous message: Microsoft Product Security: "Microsoft Security Bulletin (MS99-058)"
- Next in thread: Maxime Rousseau: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: Maxime Rousseau: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: is15758: "FW: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Reply: Chayka Sergey Alexandrovich: "Re: IE 5.01 vulnerabilities in external.NavigateAndFind()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Wed Dec 22 1999 - 17:21:19 CST