BugTraq
Internet Explorer iframe sandbox local file name disclosure vulnerability Aug 09 2016 05:47PM
Securify B.V. (lists securify nl)
------------------------------------------------------------------------

Internet Explorer iframe sandbox local file name disclosure
vulnerability
------------------------------------------------------------------------

Yorick Koster, March 2016

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.

------------------------------------------------------------------------

See also
------------------------------------------------------------------------

- CVE-2016-3321
- MS16-095: Cumulative Security Update for Internet Explorer (3177356)

------------------------------------------------------------------------

Tested versions
------------------------------------------------------------------------

This issue was successfully verified on Internet Explorer 10 and
Internet Explorer 11. The HTML5 sandbox iframes is not available in
older versions of Internet Explorer.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

Microsoft released MS16-095 that fixes this vulnerability.

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://www.securify.nl/advisory/SFY20160301/internet_explorer_iframe_sa
ndbox_local_file_name_disclosure_vulnerability.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus