Microsoft Internet Explorer Remote File Viewing Vulnerability

A vulnerability has been discovered in Microsoft Internet Explorer which may disclose files from a web user's local system. Disclosed files will be of a type that is readily viewable via a web browser(HTML, TXT, GIF, JPG, etc.).

A webpage may be constructed which can cause information to be shared by two seperate Internet Explorer windows. This may be used maliciously to open one window in the website's domain and another window in the web user's local file system.

The path to a known, existing file is implicit to successful exploitation of this issue to divulge sensitive information. Active Scripting must also be enabled in the browser of the web user for this issue to be exploited.

This issue is a variation of the "Frame Domain Verification Vulnerability" that is discussed in Microsoft Security Bulletin MS01-015/CAN-2001-0002/BugTraq ID 2456.


 

Privacy Statement
Copyright 2010, SecurityFocus