Internet Explorer Can Read Local Files (XML Datasource)
19 Aug. 2002
Summary
There is a bug in Internet Explorer that allows reading and sending of local files. The problem lies in a legacy XML Datasource applet shipped with Internet Explorer since its 4.0 release.
Credit:
The information has been provided by Jelmer.
If you add a < base href="file:///C:/"> tag to the head section, the applet will thinks it is codebase is local and allowing you to read local XML files. Therefore, this snippet will read c:\jelmer.xml
Even though reading local XML files is bad enough, more can be done. XML has a feature called external entities that allows you to combine multiple files as one big file. This allows us to read text files as well, as shown by the following example:
Demonstration:
A Demonstration of the issue described is available at: http://www.xs4all.nl/~jkuperus/msieread.htm (NOTE, this demonstration will try to read and display the contents of c:\jelmer.txt)
Vendor status:
Microsoft was notified on 17 August, Jelmer have yet to receive a reply.
