CVE-2002-0023

Internet Explorer <6.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-0023. PoCs published by Georgi Guninski.

AI-analyzed exploit summary The exploit describes a vulnerability in Microsoft Internet Explorer where the 'GetObject()' JScript function with the 'htmlfile' ActiveX object can be manipulated to access the DOM of arbitrary files on the target system using '../' sequences in the URL. This could lead to information disclosure or arbitrary code execution.

Description

Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Georgi Guninski · textremotewindows

https://www.exploit-db.com/exploits/21195

View Code ZIP pw:eip

The exploit describes a vulnerability in Microsoft Internet Explorer where the 'GetObject()' JScript function with the 'htmlfile' ActiveX object can be manipulated to access the DOM of arbitrary files on the target system using '../' sequences in the URL. This could lead to information disclosure or arbitrary code execution.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Theoretical

Target: Microsoft Internet Explorer (versions affected in 2002)

No auth needed

Prerequisites: Target must visit a malicious webpage · Known file paths on the target system

MITRE ATT&CK