Title: Microsoft Windows Script Host GetObject() File Disclosure Vulnerability
Severity: MODERATE
Description:
It is possible for an outside attacker to view known files on a remote system if the target user visits a website or opens an email containing a specially formed script containing the JScript function 'GetObject()' and the ActiveX object 'htmlfile'. Microsoft Internet Explorer or Outlook Express will grant full access to the DOM of a HTML document object if the following code is inserted into HTML formatted document (the 'I" in SCRIPT has been replaced with a "!"):
<SCR!PT>
alert("Alert Message");
a=GetObject("c:\\path\filename.ext","htmlfile");
setTimeout("alert(a.body.innerText);",2000);
</SCR!PT>
A malicious website operator may be able to view any known file on a remote system through this vulnerability if the website visitor is using Microsoft Internet Explorer.
This vulnerability is due to a flaw in Windows Script Host (WSH), WSH does not properly verify a domain for certain requests made in IE and Outlook Express.
**New proof of concept code for this vulnerability can affect users who have already applied the Microsoft supplied patch for this issue. The new code uses Base64 encoding embedded within the HTML, which effectively bypasses the security provided by the patch.
Affected Products:
- Microsoft Windows Scripting Host 5.1.0
- Microsoft Windows Scripting Host 5.5.0
References:
- Microsoft: Microsoft Security Bulletin (MS01-015)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
