RE: File extensions spoofable in MSIE download dialog

[Yngve Ådlandsvik <Yngve.Adlandsvik () legemidler no>]

Sorry for being late, but this link proved that Opera 5.12 is vulnerable. It
gives the standard 'Open' and 'Save to disk' dialogue, showing only the
spoofed filename. If you select 'Open', it will be run immediately.

Opera 6.0 is not vulnerable, however.

> -----Original Message-----
> From: chef [SMTP:chef () cube blinx de]
> Sent: 29. november 2001 19:03
> To:   'StatiC'; bugtraq () securityfocus com
> Subject:      Re: File extensions spoofable in MSIE download dialog
>
>   -----Ursprüngliche Nachricht-----
> > Von: StatiC [mailto:static () tampabay rr com] 
> > Gesendet: Donnerstag, 29. November 2001 03:52
> >
> > I was playing with apache configs a few months ago and 
> > noticed a similar issue with IE5.5.  The procodure below will 
> > cause IE5.5 to display the open dialog for readme.txt but 
> > once opened, it executes immediately on IE5.5 sp2 with no 
> > hint that it is really getting an executable file called 
> > calc.exe.  I only tested it with IE5.5.
>
> I testet it right now, with IE6; Q312461 / WinXP and i think
> there is no problem at all.
>
> First a question for text.txt pops up and when i say "open"
> a second message with question for save / open pops up.
> This second popup tells the right name "calc.exe" .
> Finally when i say "open" it opens the calculator.
>
> For testing: http://www.geilerserver.de/text.txt
>
> > Why does microsoft think it is wise to trust the filename in 
> > the url over what the header content-type is set to for 
> > display purposes since the content-type seems to take 
> > priority for what will really happen with the file.
>
> I think that's only a Problem of older Versions.
>
> ^cUbE^