Suggest A Fix PC Support Forums > MS Alert: IE GetObject() Active Scripting Bug

Full Version: MS Alert: IE GetObject() Active Scripting Bug

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Jan 4 2002, 03:38 PM

Versions 5.5, 6.0

Georgi Guninski reported a security vulnerability in Microsoft's Internet Explorer browser. A remote user can create a web page or HTML-based e-mail message that can access files on another user's PC.

It is reported that there is a bug in GetObject() that allows active scripting to read local files.

The following is an example of code that will trigger the vulnerability:

a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");

There was no solution available from Microsoft at this time. The author recommends disabling active scripting not using IE in hostile environments.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.