Bugtraq mailing list archives
RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Thu, 20 Dec 2001 09:48:35 +0200
Affects latest 5.5 SP2 patched version on Win2k as well. PLUS, if you use an "https://" URL, it also shows THAT in the location bar. Naturally, there are no SSL indicators (padlock, Secure properties, etc). For the paranoid among us (i.e. you have the alerts turned on), IE DOES warn that you are entering and then LEAVING a secure session, but the fact remains that the Location field shows "https://" Ooops! It doesn't seem to work for documents containing frames, however. And you can get the logo to stop spinning by doing the document.close inside the timeout call. (If you look at the source of the spoofed page demo, you'll see what I mean.) Rogan
-----Original Message----- From: the Pull [mailto:osioniusx () yahoo com] Sent: 20 December 2001 01:59 To: bugtraq () securityfocus com Subject: Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: December 19, 2001 Severity: High Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308; Q313675 Discussion: By simply using the document.open method and not using the document.close method you are able to: steal cookies; read local files that are parsable by IE(mime type text/html to be exact); and spoof sites. Exploits: http://www.osioniusx.com "cookieStealing.html" - This opens Yahoo.com and steals the cookie. "FileReading.html" - This opens up C:\test.txt and then reads it. "SiteSpoofing.html" - This spoofs www.chase.com -- chase.com is in the url, the title, and there is a link on the page to log on to your account which comes back to www.osioniusx.com. Potential Solution: Fix required on document.open method. Vendor Status: Emailed to "Secure () microsoft com". __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com
Current thread:
- RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Dawes, Rogan (ZA - Johannesburg) (Dec 20)
- <Possible follow-ups>
- RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Siddik, Syaefullah (Dec 20)