search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Internet Explorer DHTML"Download Behavior" can be tricked into exposing local files

Vulnerability Note VU#37828

Original Release Date: 2001-08-15 | Last Revised: 2001-08-21


The download behavior of Internet Explorer 5.0 can be used to perform arbitrary operations on local files.


Internet Explorer 5.0 includes a dynamic HTML (DHTML) behavior called "download behavior." A "behavior" is a software object that specifies some behavior of a web page element, for example, the behavior of an object when the mouse is placed over the object. Some behaviors are included by default in IE 5, including the download behavior. This feature allows a web site to download files for use in a client side script.

The "start download" method of the "download" behavior has the following syntax:

oDownload.startDownload (sUrl, fpCallback)

sURL is a string specifying the file, and fpCallback is a pointer to a function to handle the downloaded file. The contents of the file are returned to fpCallback as its only parameter.

sURL is supposed to originate in the same domain as the web site. However, you can construct the web site so that it redirects the browser to a local file (if the name of the file can be guessed or is known). The callback function can then perform arbitrary operations on the file, including possibly sending it to the intruder.

For more information, see


Malicious web site operators can retrieve files from your system.


Upgrade to the latest version of Internet Explorer or download a patch as described in

Vendor Information

CVSS Metrics

Group Score Vector



This document was written by Shawn V Hernan.

Other Information

CVE IDs: CVE-1999-0891
Severity Metric: 3.18
Date Public: 1999-09-28
Date First Published: 2001-08-15
Date Last Updated: 2001-08-21 20:59 UTC
Document Revision: 3

Sponsored by CISA.