Pseudo-UXSS via Multipart MHTML IFrame

MHTML (MIME HTML) files can contain multiple parts in a single response, similar to a multipart email. I found that loading an MHTML file in an IFrame and then enumerating the IFrame window’s properties gave access to members that should have been off-limits from a cross-origin perspective. The behavior was pseudo-UXSS rather than a full bypass, but it was unexpected enough to warrant filing.

pIFrame.location = "multipart.mht";
var str = "";
for (var i in pIFrame) str += i + "\n";
alert(str);

The MHTML format caused IE to assign a special mhtml: URL to the IFrame, and the same-origin checks for that scheme were more permissive than they should have been. Enumerating properties through the IFrame reference exposed window members that were normally gated behind origin checks.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Staying Resident via a Destroyed HTML Object] :: [IE Information Disclosure: Detecting Local Files via Link Behavior Errors] >