base href file:// Bypasses IE Protected Mode Integrity Level

Setting a <base href> to a local file:// path and then calling window.open with a relative filename opened the local file in a new tab running at Medium integrity — not the Low integrity level that IE Protected Mode should enforce for web content.

<base href="file:///c:/windows/system32/drivers/etc/">

<script>
function main()
{
	window.open("hosts");
}
</script>

IE resolved window.open("hosts") against the base href, producing file:///c:/windows/system32/drivers/etc/hosts. When rendered in a new tab, the file opened at Medium integrity (the same as the local file zone) rather than Low integrity (the Protected Mode level). This was a privilege escalation in that code running in the new tab had more capabilities than expected from a web-initiated navigation. The attack required the attacker to know or guess the target file path in advance.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: iFrame javascript: URI Executes in base href Origin] :: [Pop-up Blocker Bypass via Local base href] >