Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door, and forgot to take that extra bit of time to debug and test it for security cracks and holes. In this article Mitchell talks about the latest security holes found in IE6. He shows you how to test your system for vulnerabilities and also provides links to the relevant patches and more information on the holes.
Internet Explorer 6 Hacks And Holes Exposed - Direct file access (Page 4 of 5 )
One final example that I would like to show you today is how easy it is to grab the contents of a file from a users PC and send it back to a web server for processing and analysing.
The document.open function is used to open documents in a new window. When I say documents I'm roughly talking about HTML pages that reside on some remote server. With most browsers all you can open in a new window is remote documents, remote meaning those that need to be retrieved over a protocol, such as HTTP or FTP. Sure you can use the file:/// syntax to open a local file with most browsers, but you can't do this using client-side code from a remote web page right? or can you?
That's right, thanks to a couple more holes in IE6, it's now possible to see the contents of a file on a clients machine... all with one simple call to the document.open function. Create a new file named c:\file_read.html. Enter the following code into it:
The JScript code in the example above retrieves the contents of c:\winnt\setuplog.txt (which is the log from the installation of Windows 2000) and displays it in a text box on a web page. The location of the local file is specified in the fileLoc variable, and can be any file you like. The only criteria for this code to work are that the file must be either a HTML or text file, and must exist on the users PC.
If you're thinking that you can't do much with text files, then think about XML. XML is a based on text, and if quickly becoming the replacement for traditional INI files. If you knew where a user had an XML file residing on their hard drive, you could grab it and use IE6's built-in XML rendering engine (MSXML) to grab elements from the file. Furthermore, you could use JScript's object handling events to automatically submit that data back to a remote web server (form1.submit())... all while the client has no idea of what's going on. A definite security worry indeed!
Obviously the best way to protect yourself from this hole is to disable client-side scripting completely, raising your security settings to high if you feel the need to do so.