|
Internet Explorer Global Variables Local File Detection Weakness
|
|
Secunia Advisory:
|
SA13872
|
|
|
Release Date:
|
2005-01-18
|
|
Popularity:
|
38,536 views
|
|
|
Critical:
|
 Not critical
|
|
Impact:
|
Exposure of system information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
Description: Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.
The problem is that sites from the "Internet" zone can include scripts from local resources. This can be exploited to determine the presence of local scripts by checking the existence of global variables introduced in the included script.
NOTE: This is similar to an old issue, which used the window.onerror event to catch errors in the loading of local scripts.
The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution: Disable Active Scripting support for all but trusted sites.
Provided and/or discovered by: Berend-Jan Wever
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|