Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method
SecurityTracker Alert ID: 1006036|
SecurityTracker URL: http://securitytracker.com/id/1006036
(Links to External Site)
Updated: Jun 13 2008|
Original Entry Date: Feb 3 2003
Disclosure of system information, Disclosure of user information, Modification of user information|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.5, 6, 6 SP1|
A vulnerability was reported in Microsoft Internet Explorer. A remote user can create malicious code that will effect the dragging and dropping of arbitrary HTML.|
Jelmer reported a vulnerability in the dragDrop() method. According to the report, a remote user can create malicious HTML that, when activated by the target user with the mouse down action ("handleOnmousedown()"), will drop arbitrary text into an HTML upload control [CVE: CAN-2003-0823]. This reportedly allows a remote user to read or write arbitrary specified files to/from the target user's system with the privileges of the target user.
A demonstration exploit page is available at:
On November 11, 2003, Microsoft issued a fix that appeared to address this flaw reported by Jelmer.
On November 16, 2003, Liu Die Yu reported that a remote user can invoke method caching (i.e., "SaveRef") to tranform a click event (e.g., mousedown, mouseup) to a drag-and-drop event (e.g., mousedown, mousemove, mouseup) even if the MS03-048 patch is applied [CVE: CAN-2003-1027].
A remote user can read arbitrary specified files on the target user's system if the target user clicks on an apparent link.|
A remote user can place a file containing arbitrary contents on the target user's system when the user clicks on a link.
No vendor solution was available at the time of the original entry.|
The author of the report indicates that you can disable active scripting to avoid the impact of this flaw.
On November 11, 2003, Microsoft released MS03-048 to fix this flaw. However, Liu Die Yu reported on November 16, 2003 that a variation of the exploit will still work even after MS03-048 is applied. See the Message History for information on the MS03-048 fix.
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Access control error, State error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Mon, 3 Feb 2003 15:25:10 +0100|
Subject: internet explorer local file reading
We allready knew pressing the back button on IE is dangerous
(http://online.securityfocus.com/archive/1/267561) So it wont come as a
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
It is possible to abuse this behaviour to drop text in a html upload control
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known
basicly drag and dropping text takes a couple of steps
- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.
It is possible to mimic all the above steps but the pressing of the button
a demo is provided at
it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there are probably better ways to do it if you know of any let me know ;)
it was tested on ie 6 sp1 + all patches
Microsoft was notified a couple of days back, haven't recieved anything back
If you want to protect yourself against this disable active scripting