« Analyzing the Effectiveness and Coverage of Web Application Security Scanners - Take II | Main | (FireGPG) Browser-based XSS »

December 23, 2007



Wow! Great job, Yair!

Rafel Ivgi

I agree that with the concept that it shouldn't run in the context of the domain, but in practice this not a security vulnerability because when an HTML file is downloaded to be opened locally, it can then READ AND POST ANY LOCAL FILE ON THE COMPUTER, INCLUDING THE COOKIES DIRECTORY, also its really easy to execute code ;) [if you wanna buy :)] so the least of the problems are a script running in the context of the webmail.

ory segal

Hi Rafel,

I think the text is a bit unclear, but the file does not open in the My-Computer zone, but rather in the context of the domain it came from.

Yair Amit

Hello Rafel,

Thank you for your comment. :)

As far as I know, Internet Explorer uses two protection mechanisms (which are activated based on the usage scenario of the user) in My Computer Zone.

The first one is total blockage of JavaScript and ActiveX unless the user gives direct consent to it (the well-known yellow security bar).

The second one is activated when the user saves the HTML file via IE and then opens it. The HTML is viewed with JavaScript enabled but in a sandboxed environment that is supposed to disallow ActiveX and to limit XMLHttpRequest object permissions.

Are you aware to ways to circumvent the aforementioned security measures?

Rafel Ivgi

I am aware of the fact that when the file is saved from the download prompt IE, only in XP SP2, an NTFS ADS(Alternate Data Stream)called "Zone.Identifier" is created and it is checked when the file is opened. This causes the file to be opened in Internet Zone. I got your point that this can cause XSS within the domain, but i believe that with a few redirect bugs, saving an html can lead to code execution.


holasss muchoss tankiusss

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial

Try IBM Security AppScan software at no charge.

Become a Fan