Skip navigation

IE Exposes User Files

 
Internet Explorer Exposes User Files

Reported Feburary 16, 2000 by Microsoft

VERSIONS AFFECTED
Microsoft Internet Explorer 4.0 and 4.01
  • Microsoft Internet Explorer 5 and 5.01
  • DESCRIPTION

    According to Microsoft" bulletin, "when a web server navigates a window from one domain into another one, the IE security model checks the server"s permissions on the new page.However, it is possible for a web server to open a browser window to a client-local file, then navigate the window to a page that is in the web site"s domain in such a way that the data in the client-local file is accessible to the new window. The data would only be accessible to the new window for a very brief period, but the result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window."

    VENDOR RESPONSE

    Microsoft has issued a patch, and a FAQ regarding this matter. However, no Support Online article was available at the time of this writing.

    CREDITS
    Discovered by Microsoft

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish