[] NeoSense
E X P L O I T S
title author type platform port cve id

Microsoft Internet Explorer 6 - URI Handler Restriction Circumvention

Author: Thor Larholm
type: remote
platform: windows
port: 
date_added: 2002-09-10 
date_updated: 2012-10-08 
verified: 1 
codes: OSVDB-2996 
tags: 
aliases:  
screenshot_url:  
application_url: 
source: https://www.securityfocus.com/bid/5730/info

Microsoft Windows Internet Explorer 6.0 SP1 introduced restrictions for certain URI handlers (such as file:// and res://). It has been demonstrated in the past that these URI handlers could be abused and incorporated into different types of attacks against users of the browser, such as cross-protocol scripting attacks or attacks which access local resources.

As a safety measure, Service Pack 1 addressed this issue by restricting the client from accessing any of the dangerous URI handlers from the Internet Zone.

However, it is possible to circumvent these restrictions by employing a HTTP redirect to a page which contains one of the restricted URIs.

It is still possible to open any file:// or res:// file automatically with:

<object type="text/html" data="redirect.asp"></object>

where redirect.asp makes a HTTP redirect using this HTTP header:

Location: file://c:/test.txt
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.