Internet Explorer: drag and drop, loading files from TIF


Yorick Koster, August 2005

Abstract


When dragging an image file into a new Internet Explorer window or into the address bar, the image will be loaded from the Temporary Internet Files folder. Creating a file with a special filename allows us to load arbitrary files from the Temporary Internet Files folder.

Affected versions


The following versions of Internet Explorer have been tested and are affected by this issue:

   * Internet Explorer 6.0 SP2 on Windows XP SP2
   * Internet Explorer 6.0 SP1 on Windows 2000 SP4

Fix


This issue was addressed by MS06-072.

Drag and drop


When dragging images into a new Internet Explorer window, Internet Explorer will load the image from the Temporary Internet Files folder. This is also true when the same image is dragged into the address bar. Drag and drop the image below into the address bar to view this behavior.

/advisory/AK20050802/MSNA_Header_133513.jpg




/advisory/AK20050802/001_drag_from_tif_winxp.png

Loading arbitrary files


It has been discovered that it is possible to load arbitrary files from the Temporary Internet Files folder by creating a filename containing a hash (#) character. For example, we can set the following Content-Disposition HTTP header:

Content-Disposition: inline; filename="hmmm.htm#.gif"

Sending the above HTTP header will trick Internet Explorer into loading the file hmm[1].htm instead of the file hmm[1].htm#.gif. Drag the image below into the address bar to see this behavior.

/advisory/AK20050802/MSNA_Header_133513.php

URL encoding


Tests have revealed that using the Content-disposition HTTP header only allows us to supply a hash character in a file name. If we set other special characters in the filename, such as the question mark (?), Internet Explorer does not allow drag and drop actions on the image.

Further testing has shown that Internet Explorer does allow dragging and dropping of files containing the percent character (%). This allows us to encode special characters, using URL encoding, in links. For example, we can create the following link:

<img src="image.htm%3f.gif">

On our web server, we can create a file called image.html?.gif. Dragging and dropping the above image in a new window, will load the file image[1].htm instead of the file image[1].html?.gif.

Proof of concept


A proof of concept has been created that demonstrates this issue. Click on the link below to start the proof of concept. Drag the image in the search pane into the right window to load an arbitrary file from the Temporary Internet Files folder.

Proof of concept