More IE5 Cross Frame Nav - 22 Dec 1999

IE 5.01 Cross Frame Navigation

Reported December 22, 1999 by
Georgio Guninski

Internet Explorer 5.01


IE 5.01 vulnerabilities in external.NavigateAndFind()

Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by using external.NavigateAndFind(). This exposes the whole DOM of the target document.

This allows reading local text and HTML files and files from any host (suppose reading files of any type is possible), getting cookies (that is dangerous because may get passwords, CC #s, etc.) and other sensitive information. It is also possible in some cases to read files behind firewall. This vulnerability may be exploited using HTML email message or a newsgroup posting.

window.external.NavigateAndFind() is used to search for strings in specified URLs displaying the result in a specified frame. The problem is it allows searching in "javascript:" URLs in a specified frame.

In this case the code in the "javascript:" URL is executed in the security context of the target frame and the code has access to the document loaded in the target frame.

Examine the code below for more information.

<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
function f()

Demonstration is available at


Microsoft is aware of this issue, however their response was unknown at the time of this writing.

Discovered by
Georgio Guninski

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.