https://www.exploit-db.com/exploits/21195
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200203-025

MicrosoftIE是与Windows系统捆绑在一起的流行的Web浏览器。MicrosoftIEGetObject()’JScript函数存在输入验证漏洞，攻击者可能利用这个漏洞读取系统上任意已知文件名的文件。当ActiveX控件’htmlfile.’调用’GetObject()’JScript函数时，如果URL中包含以”../”开头的字串，则可能访问到主机上Web目录之外的文件。通过在恶意网页上放置这种构造的URL，攻击者可以访问到客户端驱动器上任意已知文件名的文件。

source: http://www.securityfocus.com/bid/3767/info

A flaw exists in Microsoft Internet Explorer that may allow a remote attacker to view known files on a target system when a user views web content containing a specially crafted script.

The problem occurs when the 'GetObject()' JScript function is used with the ActiveX object 'htmlfile.' If a URL containing "../" sequences is passed as the first argument to the function, it is possible to cause Internet Explorer to grant full access to the DOM of the created HTML document object:

a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");

This vulnerability could be used by a malicious web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code.

来源:BID
名称:3767
链接:http://www.securityfocus.com/bid/3767
来源:MS
名称:MS02-005
链接:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
来源:BUGTRAQ
名称:20020101IEGetObject()problems
链接:http://archives.neohapsis.com/archives/bugtraq/2002-01/0000.html
来源:XF
名称:ie-getobject-directory-traversal(7758)
链接:http://xforce.iss.net/xforce/xfdb/7758
来源:OSVDB
名称:3030
链接:http://www.osvdb.org/3030
来源:USGovernmentResource:oval:org.mitre.oval:def:77
名称:oval:org.mitre.oval:def:77
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:77
来源:USGovernmentResource:oval:org.mitre.oval:def:50
名称:oval:org.mitre.oval:def:50
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:50
来源:USGovernmentResource:oval:org.mitre.oval:def:40
名称:oval:org.mitre.oval:def:40
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:40
来源:USGovernmentResource:oval:org.mitre.oval:def:17
名称:oval:org.mitre.oval:def:17
链接:http://oval.mitre.org/repository/data/getDef?id=o