Bugtraq mailing list archives
The Cuartango Security Hole in IE4
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 12 Oct 1998 11:36:13 -0500
---------- Forwarded message ---------- Date: Sun, 11 Oct 1998 15:17:41 -0400 From: Richard M. Smith <rms () PHARLAP COM> To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: The Cuartango Security Hole in IE4 Hello, Juan Carlos G. Cuartango of Spain has discovered an extremely serious security hole in Internet Explorer 4. With a small amount of JavaScript code on a Web page, a Web site operator can steal any file from a user's hard disk and automatically uploaded the contents to a Web server. More worrisome is that fact that the security hole can be also exploited in an HTML-based Email message in Outlook Express. Simply by reading a booby-trapped Email message, private files can be stolen from one's hard disk. Most computer users, I suspect, will consider this unacceptable product defect. Details of the security hole were posted late last week at Mr. Cuartango Web site: http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html The Web site also contains a demo of the security problem. The demo is based on a standard file uploader HTML form. Normally only the user can manullay set the name of the file to uploaded but IE4 inadvertently allows JavaScript to execute cut and paste functions to set the file name. After the file name is set, JavaScript auto-submits the form to upload the file. I've tested the demo on three different systems and it worked on two of them. The one system in which the demo failed was running the original release of IE4 which came out September of last year. The two systems in which the demo worked on were running IE 4.01 which started shipping earlier this year. The demo appears to work both on Windows 95 and Windows 98. It should also work on Windows NT, but I haven't had time to test it. The bug is also reported to be present in the preview version of IE5. According to Juan Carlos's Web site, Microsoft has confirmed the bug and is looking now how to fix it. Richard M. Smith rms () pharlap com
Current thread:
- linux 2.0.35 ip aliasing with aliased hwaddr Mike Baker (Oct 06)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr Oliver Friedrichs (Oct 06)
- Redhat man exploit Neil Trobaugh (Oct 07)
- Re: Redhat man exploit Scott Stone (Oct 08)
- Computer Security Day (DISC 98) in Mexico Area de Seguridad en Computo (Oct 12)
- Re: Redhat man exploit Mike (Oct 12)
- Possible login name leak on SunOS 5.6 Pete Krawczyk (Oct 12)
- Re: Redhat man exploit John Brahy (Oct 09)
- Redhat man exploit Neil Trobaugh (Oct 07)
- Overflow in zgv-4.1? onix (Oct 07)
- Re: Overflow in zgv-4.1? Paul Boehm (Oct 09)
- The Cuartango Security Hole in IE4 Aleph One (Oct 12)
- SCO Openserver 5.0.5 syn-floodable Eric (Oct 08)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr pedward () WEBCOM COM (Oct 08)
- more Netscape 4.07 javascript security Max Vision (Oct 08)
- Re: more Netscape 4.07 javascript security Peter W (Oct 11)
- Another Netscape 4.07 cache reading bug Georgi Guninski (Oct 08)
- Re: Another Netscape 4.07 cache reading bug Ken Williams (Oct 08)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr Oliver Friedrichs (Oct 06)