The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof.


Internet Explorer 5.0 under Windows 95 and Windows NT 4.0 (suppose Win98 is vulnerable)
allows reading local text files (the extension does not matter) and parts of binary files.
It is also possible to read text files from any domain and in some cases reading files from a web server behind a firewall.


The problem is the IE feature "download behavior".
It is possible to click on a link and a callback function to be executed.
When the callback function is executed by "startDownload" method, the downloaded file is passed as an argument to the callback function.
Microsoft has implemented some security which does not allow downloading files in this way from a different domain.
But if the link points to a file in same domain as the exploit page and a HTTP redirect is forced,
then the exploit works.
It is not necessary the user to click on the link, this may be done automatically.
This vulnerability may be exploited using HTML email message or a newsgroup posting.

The code is:
function doit(s)
 alert ("Here is your file:\n"+s);
<A ID="oD" STYLE="behavior:url(#default#download)" HREF="javascript:oD.startDownload('http://www.guninski.com/reject.cgi?autoexec', doit)">Click here to read C:\AUTOEXEC.BAT</A>.
("http://www.guninski.com/reject.cgi?autoexec" just does a HTTP redirect to file://c:/autoexec.bat)

Disable Active Scripting

Click here to read C:\AUTOEXEC.BAT.

Go to Georgi Guninski's home page