Vulnerability Note VU#37828

Internet Explorer DHTML"Download Behavior" can be tricked into exposing local files

Original Release date: 14 Aug 2001 | Last revised: 21 Aug 2001

Overview

The download behavior of Internet Explorer 5.0 can be used to perform arbitrary operations on local files.

Description

Internet Explorer 5.0 includes a dynamic HTML (DHTML) behavior called "download behavior." A "behavior" is a software object that specifies some behavior of a web page element, for example, the behavior of an object when the mouse is placed over the object. Some behaviors are included by default in IE 5, including the download behavior. This feature allows a web site to download files for use in a client side script.

The "start download" method of the "download" behavior has the following syntax:

oDownload.startDownload (sUrl, fpCallback)

sURL is a string specifying the file, and fpCallback is a pointer to a function to handle the downloaded file. The contents of the file are returned to fpCallback as its only parameter.

sURL is supposed to originate in the same domain as the web site. However, you can construct the web site so that it redirects the browser to a local file (if the name of the file can be guessed or is known). The callback function can then perform arbitrary operations on the file, including possibly sending it to the intruder.

For more information, see

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-040.asp

Impact

Malicious web site operators can retrieve files from your system.

Solution

Upgrade to the latest version of Internet Explorer or download a patch as described in http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-040.asp.

Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Shawn V Hernan.

Other Information

  • CVE IDs: CVE-1999-0891
  • Date Public: 28 Sep 99
  • Date First Published: 14 Aug 2001
  • Date Last Updated: 21 Aug 2001
  • Severity Metric: 3.18
  • Document Revision: 3

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.