More IE5 Cross Frame Nav - 22 Dec 1999

 
IE 5.01 Cross Frame Navigation
Reported December 22, 1999 by Georgio Guninski

DESCRIPTION

IE 5.01 vulnerabilities in external.NavigateAndFind()

Internet Explorer 5.01 under Windows 95 and 5.0 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by using external.NavigateAndFind(). This exposes the whole DOM of the target document.

This allows reading local text and HTML files and files from any host (suppose reading files of any type is possible), getting cookies (that is dangerous because may get passwords, CC #s, etc.) and other sensitive information. It is also possible in some cases to read files behind firewall. This vulnerability may be exploited using HTML email message or a newsgroup posting.

window.external.NavigateAndFind() is used to search for strings in specified URLs displaying the result in a specified frame. The problem is it allows searching in "javascript:" URLs in a specified frame.

In this case the code in the "javascript:" URL is executed in the security context of the target frame and the code has access to the document loaded in the target frame.

Examine the code below for more information.

<IFRAME NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<SCRIPT>
function f()
\{
window.external.NavigateAndFind("javascript:alert(document.body.innerText);","ll","I1");
\}
setTimeout("f()",2000);
</SCRIPT>

Demonstration is available at http://www.nat.bg/~joro/navan.html

VENDOR RESPONSE

Microsoft is aware of this issue, however their response was unknown at the time of this writing.

CREDITS
Discovered by Georgio Guninski