IE Javascript security hole

I was surprised to discover recently to what extent Explorer leaves your entire webpage vulnerable to data capture and manipulation. I found I could not only access external site variables and form fields from a page located on my desktop, I could write new data to them too! This includes hidden fields which you would think should not be touchable.

Is there anything that can be done to prevent this? Signed scripts? Anything. I have a game that will otherwise need to be converted to Flash, and would like to avoid the extra work if possible.

Thanks!

Paul G

What exactly do you mean by manipulation? Do you mean simply saving a page locally, changing the code and using absolute paths to interact with a remote site?

This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files larger than are wanted.

A lot of people use javascript to manipulate other sites so that they don't have to shift people from their site to incorporate the remote information. For example, streetmap.co.uk offers you the chance to incorporate a link for a map you want, it's easier to just use javascript to create the link yourself.

Manipulation as in the kind of thing you mentioned. Try to access any form field from a page not originating from the same domain in Netscape and... oh sorry, that would be tampering. It doesn't let you. That makes perfect sense to me. The same origin security rule of Netscape's was so sensible and basic, and gave javascript a little muscle to work with.

I can think of numerous interesting and advantageous uses of a hidden form field that the Explorer security stance makes impossible, including a client-side instant win game which I must now convert to Flash to prevent tampering.

I can understand why scripting form fields would be desirable, but hidden fields? Hidden should mean that the author doesn't want you messing with them, under any conditions.

Paul

Oh. Your example is an excellent one:

"This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files <b>larger than are wanted</b>."

This boggles my mind. MS doesn't view that as a security issue?

Paul

I think Microsoft view a lot of things as security issues but also try to keep things as open as possible. This has caused problems in many circumstances, the Nimda virus used simple javascript to exploit a hole in the IE security.

One of the scariest things is the MSHTML vulnerabilities, try:

http://www.microsoft.com/windows/ie...rity/mshtml.asp

to see what I mean. Serious stuff. Check out:

http://www.microsoft.com/windows/ie...cal/default.asp

for all the scares, and one thing to realise is that these are the ones that MS thinks are 'critical' so how many aren't?