SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
SecurityTracker Alert ID:  1006036
SecurityTracker URL:  http://securitytracker.com/id/1006036
CVE Reference:   CVE-2003-0823, CVE-2003-1027   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Feb 3 2003
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5, 6, 6 SP1
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can create malicious code that will effect the dragging and dropping of arbitrary HTML.

Jelmer reported a vulnerability in the dragDrop() method. According to the report, a remote user can create malicious HTML that, when activated by the target user with the mouse down action ("handleOnmousedown()"), will drop arbitrary text into an HTML upload control [CVE: CAN-2003-0823]. This reportedly allows a remote user to read or write arbitrary specified files to/from the target user's system with the privileges of the target user.

A demonstration exploit page is available at:

http://kuperus.xs4all.nl/security/ie/xfiles.htm

On November 11, 2003, Microsoft issued a fix that appeared to address this flaw reported by Jelmer.

On November 16, 2003, Liu Die Yu reported that a remote user can invoke method caching (i.e., "SaveRef") to tranform a click event (e.g., mousedown, mouseup) to a drag-and-drop event (e.g., mousedown, mousemove, mouseup) even if the MS03-048 patch is applied [CVE: CAN-2003-1027].

Impact:   A remote user can read arbitrary specified files on the target user's system if the target user clicks on an apparent link.

A remote user can place a file containing arbitrary contents on the target user's system when the user clicks on a link.

Solution:   No vendor solution was available at the time of the original entry.

The author of the report indicates that you can disable active scripting to avoid the impact of this flaw.

On November 11, 2003, Microsoft released MS03-048 to fix this flaw. However, Liu Die Yu reported on November 16, 2003 that a variation of the exploit will still work even after MS03-048 is applied. See the Message History for information on the MS03-048 fix.

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 11 2003 (Vendor Issues Fix) Re: Microsoft Internet Explorer May Disclose Local Files to Remote Users Via the dragDrop() Method
The vendor has issued a fix that addresse the original vulnerability, but not Liu Die Yu's variation.
Feb 3 2004 (Vendor Issues Fix) Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
The vendor has issued a fix.
Feb 8 2005 (Vendor Issues Fix) Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
Microsoft has issued a fix.



 Source Message Contents

Date:  Mon, 3 Feb 2003 15:25:10 +0100
Subject:  internet explorer local file reading


 We allready knew pressing the back button on IE is dangerous
(http://online.securityfocus.com/archive/1/267561)  So it wont come as a
total shock
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
being dragged.

It is possible to abuse this behaviour to drop text in a html upload control
thus
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known

basicly drag and dropping text takes a couple of steps

- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.

It is possible to mimic all the above steps but the pressing of the button
by using
javascript

a demo is provided at

http://kuperus.xs4all.nl/security/ie/xfiles.htm

it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there  are probably better ways to do it  if you know of any let me know ;)


it was tested on ie 6 sp1 + all patches

Microsoft was notified a couple of days back, haven't recieved anything back
yet

If you want to protect yourself against this disable active scripting


references:

http://webreference.com/programming/javascript/dragdropie/3.html
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a
sp

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC