发布时间 :1999-11-17 00:00:00
修订时间 :2008-09-09 08:35:39

[原文]Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet.

[CNNVD]Internet Explorer漏洞(CNNVD-199911-058)

        Internet Explorer存在漏洞。远程攻击者借助在Java脚本的程序中数据重定向读取文件。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.0Microsoft Internet Explorer 5.0
cpe:/a:microsoft:ie:4.0.1Microsoft Internet Explorer 4.0.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  MS  MS99-043

- 漏洞信息

Internet Explorer漏洞
低危 未知
1999-11-17 00:00:00 2005-05-02 00:00:00
        Internet Explorer存在漏洞。远程攻击者借助在Java脚本的程序中数据重定向读取文件。

- 公告与补丁


- 漏洞信息 (19559)

MS IE 5.0/4.0.1 Javascript URL Redirection Vulnerability (EDBID:19559)
windows remote
1999-10-18 Verified
0 Georgi Guninski
N/A [点击下载]
Microsoft Internet Explorer 5.0 for Windows 2000/Windows 95/Windows 98/Windows NT 4,Microsoft Internet Explorer 4.0.1 for Windows 98/Windows NT 4.0/Unix 5.0 Javascript URL Redirection Vulnerability


A malicious web site operator could design a web page that, when visited by an IE5 user, would read a local file from the victim host (or any file on the victim's network to which the victim has access) and send the contents of that file to a designated remote location.

1) The IE5 user visits a malicious web site.

2) The web site instructs the client to open another IE5 browser window and display the contents of a file residing on the IE5 user's host (or another host on the network to which the IE5 user has access).

3) Immediately after opening the new browser window, the window is instructed to browse to a specified web site ie: http://malicious

4) The hack.cgi?doit page does not return a web page, but instead redirects the window to a javascript URL containing embedded executable code.

5) The javascript code (from step 4) can now access any files on the victim's host (or any file on the victim's network to which the victim has access) and send it to a location maintained by the malicious web site operator.

Under normal circumstances, javascript received from a non-local "security zone" is not allowed to perform such actions against files on the local host. In this instance, however, the IE5 browser has been fooled (via http redirect to javascript) into thinking that the Javascript should execute under the security context of the local host's security zone as the javascript was requested from a browser displaying the local file.

Microsoft has released a FAQ that contains a good description of this vulnerability: 

alert("Create a short text file C:\\TEST.TXT and it will be read and shown in a dialog box");"file://c:/test.txt");
// "" just does a HTTP redirect to: "javascript:alert(document.body.innerText)"

- 漏洞信息

Microsoft IE Javascript Applet Data Redirect Arbitrary File Access
Context Dependent Information Disclosure
Loss of Confidentiality Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-10-18 Unknow
1999-10-18 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete