Vulnerability Note VU#37828
Internet Explorer DHTML"Download Behavior" can be tricked into exposing local files
The download behavior of Internet Explorer 5.0 can be used to perform arbitrary operations on local files.
Internet Explorer 5.0 includes a dynamic HTML (DHTML) behavior called "download behavior." A "behavior" is a software object that specifies some behavior of a web page element, for example, the behavior of an object when the mouse is placed over the object. Some behaviors are included by default in IE 5, including the download behavior. This feature allows a web site to download files for use in a client side script.
For more information, see
Malicious web site operators can retrieve files from your system.
Upgrade to the latest version of Internet Explorer or download a patch as described in http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-040.asp.
Systems Affected (Learn More)
No information available. If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
This document was written by Shawn V Hernan.
- CVE IDs: CVE-1999-0891
- Date Public: 28 Sep 99
- Date First Published: 14 Aug 2001
- Date Last Updated: 21 Aug 2001
- Severity Metric: 3.18
- Document Revision: 3
If you have feedback, comments, or additional information about this vulnerability, please send us email.