{"vuid":"VU#37828","idnumber":"37828","name":"Internet Explorer DHTML\"Download Behavior\" can be tricked into exposing local files","keywords":["IE","Download Behavior","ie-download-behavior","MS99-040"],"overview":"The download behavior of Internet Explorer 5.0 can be used to perform arbitrary operations on local files.","clean_desc":"Internet Explorer 5.0 includes a dynamic HTML (DHTML) behavior called \"download behavior.\" A \"behavior\" is a software object that specifies some behavior of a web page element, for example, the behavior of an object when the mouse is placed over the object. Some behaviors are included by default in IE 5, including the download behavior. This feature allows a web site to download files for use in a client side script. The \"start download\" method of the \"download\" behavior has the following syntax: oDownload.startDownload (sUrl, fpCallback) sURL is a string specifying the file, and fpCallback is a pointer to a function to handle the downloaded file. The contents of the file are returned to fpCallback as its only parameter. sURL is supposed to originate in the same domain as the web site. However, you can construct the web site so that it redirects the browser to a local file (if the name of the file can be guessed or is known). The callback function can then perform arbitrary operations on the file, including possibly sending it to the intruder. For more information, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-040.asp","impact":"Malicious web site operators can retrieve files from your system.","resolution":"Upgrade to the latest version of Internet Explorer or download a patch as described in http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-040.asp.","workarounds":"","sysaffected":"","thanks":"","author":"This document was written by Shawn V Hernan.","public":["http://www.microsoft.com/security/bulletins/ms99-040.asp,","http://www.microsoft.com/security/bulletins/ms99-040faq.asp","http://support.microsoft.com/support/kb/articles/Q242/5/42.asp","http://msdn.microsoft.com/scripting/default.htm?/scripting/scriptlets/doc/letimplDHTML.htm","http://msdn.microsoft.com/workshop/author/behaviors/overview.asp","http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/download.asp","http://xforce.iss.net/static/3278.php","http://www.ciac.org/ciac/bulletins/k-002.shtml"],"cveids":["CVE-1999-0891"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"1999-10-26T16:27:59Z","publicdate":"1999-09-28T00:00:00Z","datefirstpublished":"2001-08-15T03:24:25Z","dateupdated":"2001-08-21T20:59:08Z","revision":3,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"17","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"16","cam_impact":"8","cam_easeofexploitation":"7","cam_attackeraccessrequired":"9","cam_scorecurrent":"3.1752","cam_scorecurrentwidelyknown":"3.6288","cam_scorecurrentwidelyknownexploited":"6.6528","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.1752,"vulnote":null}