Microsoft Internet Explorer dragDrop方法可读取本地文件漏洞

发布时间：2003-02-03
更新时间：2003-02-03
严重程度：中
威胁程度：远程非授权文件存取
错误类型：设计错误
利用方式：客户机模式

BUGTRAQ ID：6749

受影响系统

Microsoft Internet Explorer 5.5 SP2
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows 2000 Terminal Services
   - Microsoft Windows 2000 Terminal Services SP1
   - Microsoft Windows 2000 Terminal Services SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows ME
   - Microsoft Windows NT Enterprise Server 4.0
   - Microsoft Windows NT Enterprise Server 4.0 SP1
   - Microsoft Windows NT Enterprise Server 4.0 SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP3
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0
   - Microsoft Windows NT Server 4.0 SP1
   - Microsoft Windows NT Server 4.0 SP2
   - Microsoft Windows NT Server 4.0 SP3
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0
   - Microsoft Windows NT Terminal Server 4.0 SP1
   - Microsoft Windows NT Terminal Server 4.0 SP2
   - Microsoft Windows NT Terminal Server 4.0 SP3
   - Microsoft Windows NT Terminal Server 4.0 SP4
   - Microsoft Windows NT Terminal Server 4.0 SP5
   - Microsoft Windows NT Terminal Server 4.0 SP6
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP1
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows 2000 Terminal Services
   - Microsoft Windows 2000 Terminal Services SP1
   - Microsoft Windows 2000 Terminal Services SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows NT Enterprise Server 4.0
   - Microsoft Windows NT Enterprise Server 4.0 SP1
   - Microsoft Windows NT Enterprise Server 4.0 SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP3
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0
   - Microsoft Windows NT Server 4.0 SP1
   - Microsoft Windows NT Server 4.0 SP2
   - Microsoft Windows NT Server 4.0 SP3
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0
   - Microsoft Windows NT Terminal Server 4.0 SP1
   - Microsoft Windows NT Terminal Server 4.0 SP2
   - Microsoft Windows NT Terminal Server 4.0 SP3
   - Microsoft Windows NT Terminal Server 4.0 SP4
   - Microsoft Windows NT Terminal Server 4.0 SP5
   - Microsoft Windows NT Terminal Server 4.0 SP6
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows 2000 Terminal Services
   - Microsoft Windows 2000 Terminal Services SP1
   - Microsoft Windows 2000 Terminal Services SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   + Microsoft Windows ME
   - Microsoft Windows NT Enterprise Server 4.0
   - Microsoft Windows NT Enterprise Server 4.0 SP1
   - Microsoft Windows NT Enterprise Server 4.0 SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP3
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0
   - Microsoft Windows NT Server 4.0 SP1
   - Microsoft Windows NT Server 4.0 SP2
   - Microsoft Windows NT Server 4.0 SP3
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0
   - Microsoft Windows NT Terminal Server 4.0 SP1
   - Microsoft Windows NT Terminal Server 4.0 SP2
   - Microsoft Windows NT Terminal Server 4.0 SP3
   - Microsoft Windows NT Terminal Server 4.0 SP4
   - Microsoft Windows NT Terminal Server 4.0 SP5
   - Microsoft Windows NT Terminal Server 4.0 SP6
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows 2000 Terminal Services
   - Microsoft Windows 2000 Terminal Services SP1
   - Microsoft Windows 2000 Terminal Services SP2
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows ME
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0 SP6a

详细描述
使用IE中的后退按钮是危险的(http://online.securityfocus.com/archive/1/267561)，IE中提供的dragdrop方法可以让HTML的元素行为可以被拖拽。如果滥用这种方法在HTML的文件上传控件中，可以在知道文件名的情况下读取本地文件。

基本的拖拽文本由下面步骤构成：
*选择文本
*按住鼠标
*移动鼠标到接收的元素上
*释放鼠标

这里提供一个漏洞演示：
http://kuperus.xs4all.nl/security/ie/xfiles.htm

测试代码
尚无

解决方案
目前MS没有提供补丁。

相关信息
相关连接：

internet explorer local file reading
http://www.securityfocus.com/archive/1/309997

最近严重漏洞

Microsoft Internet Explorer dragDrop方法可读取本地文件漏洞