[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : IE 5.5 Cross Frame security vulnerability

Title: IE 5.5 Cross Frame security vulnerability
Released by: Georgi Guninski
Date: 4th September 2000
Printable version: Click here
Georgi Guninski security advisory #20, 2000

IE 5.5 Cross Frame security vulnerability - Web Browser Control's

Navigate method

Systems affected:

IE 5.5/Win98. Probably other versions - have not tested.

Risk: High

Date: 4 September 2000

Legal Notice:

This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute

it unmodified. You may not modify it and distribute it or distribute

parts of it without the author's written permission.


The opinions expressed in this advisory and program are my own and not

of any company.

The usual standard disclaimer applies, especially the fact that Georgi


is not liable for any damages caused by direct or  indirect use of the

information or functionality provided by this program.

Georgi Guninski, bears NO responsibility for content or misuse of this

program or any derivatives thereof.


Internet Explorer 5.5 under Windows 98 (suppose all other versions are

also vulnerable)

allows circumventing "Cross frame security policy" by accessing the DOM

of documents using JavaScript and WebBrowser control.

This exposes the whole DOM of the target document and opens lots of

security risks.

This allows reading local files, reading files from any host, window

spoofing, getting cookies, etc.

Reading cookies from arbitrary hosts is dangerous, because some sites

use cookies for authentication.


The problem is Web Browser's control allows opening javascript: URLs in

already opened documents

by using its Navigate method.

The code in the javascript: URLs is executed in the security context of

the target document and has full access to its DOM.

First, a target document is opened in a new named window and then Web

Browser's control Navigate method

is invoked to open a javascript: URLs in the target named window.

Examine the code for details.

The code is:



Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html

Workaround: Disable Active Scripting


Georgi Guninski


(C) 1999-2000 All rights reserved.