module
Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability
| Disclosed | Created |
|---|---|
| 2016-08-09 | 2018-05-30 |
Disclosed
2016-08-09
Created
2018-05-30
Description
It was found that Internet Explorer allows the disclosure of local file names.
This issue exists due to the fact that Internet Explorer behaves different for
file:// URLs pointing to existing and non-existent files. When used in
combination with HTML5 sandbox iframes it is possible to use this behavior to
find out if a local file exists. This technique only works on Internet Explorer
10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
this from a regular website as file:// URLs are blocked all together. The attack
must be performed locally (works with Internet zone Mark of the Web) or from a
share.
This issue exists due to the fact that Internet Explorer behaves different for
file:// URLs pointing to existing and non-existent files. When used in
combination with HTML5 sandbox iframes it is possible to use this behavior to
find out if a local file exists. This technique only works on Internet Explorer
10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
this from a regular website as file:// URLs are blocked all together. The attack
must be performed locally (works with Internet zone Mark of the Web) or from a
share.
Author
Yorick Koster
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.