Jelmer, Exploitation is not limited to disclosing the contents of files on client systems. If your exploit page is modified so that a website is opened rather than a local file, the calling script can access the properties of the website. The problem here is that IE6/5.5 does not properly enforce the same origin policy. I believe that this is just another way to exploit the same basic (but extremely serious) problem that was reported by The Pull in this post: http://www.securityfocus.com/archive/1/246522 Also see this entry in the SecurityFocus Vulnerability Database: http://www.securityfocus.com/bid/3721 I have not yet seen a public response from Microsoft. According to The Pull, they were notified (it also went over the list). Dave Ahmad SecurityFocus www.securityfocus.com On Fri, 4 Jan 2002, jelmer wrote: > More reading of local files in MSIE > > Description > > > There is a security vulnerability in IE 5.5 and 6 (probably other > versions as well) which allows reading and sending of local files. > The problem lies in the fact that you are able to access a local file's > dom by calling the execScript function on a newly created window > The sample exploit provided can only read browser readable files however > it is highly likely that reading binary files is possible as well > (By attaching an event to the dom that calls the httpxmlcomponent, witch > itself at the point of writing is still vulnerable as well) > In order for this exploit to work the file name must be known. > > Risk > > High > > Systems affected: > > The vulnerability has been successfully exploited on > IE 6 / Windows XP with all patches installed > IE 5.5 / Windows ME
