Bugtraq mailing list archives

RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Thu, 20 Dec 2001 09:48:35 +0200

Affects latest 5.5 SP2 patched version on Win2k as well.

PLUS, if you use an "https://"; URL, it also shows THAT in the location bar.

Naturally, there are no SSL indicators (padlock, Secure properties, etc). 

For the paranoid among us (i.e. you have the alerts turned on), IE DOES warn
that you are entering and then LEAVING a secure session, but the fact
remains that the Location field shows "https://";

Ooops!

It doesn't seem to work for documents containing frames, however. 

And you can get the logo to stop spinning by doing the document.close inside
the timeout call. (If you look at the source of the spoofed page demo,
you'll see what I mean.)

Rogan

-----Original Message-----
From: the Pull [mailto:osioniusx () yahoo com]
Sent: 20 December 2001 01:59
To: bugtraq () securityfocus com
Subject: Internet Explorer Document.Open() Without Close() Cookie
Stealing, File Reading, Site Spoofing Bug

Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: December 19, 2001
Severity: High
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461; Q240308;
Q313675

Discussion: By simply using the document.open method
and not using the document.close method you are able
to: steal cookies; read local files that are parsable
by IE(mime type text/html to be exact); and spoof
sites.

Exploits: http://www.osioniusx.com

"cookieStealing.html" - This opens Yahoo.com and
steals the cookie.
"FileReading.html" - This opens up C:\test.txt and
then reads it.
"SiteSpoofing.html" - This spoofs www.chase.com  --
chase.com is in the url, the title, and there is a
link on the page to log on to your account which comes
back to www.osioniusx.com.

Potential Solution: Fix required on document.open
method.

Vendor Status: Emailed to "Secure () microsoft com". 

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

Current thread:

RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Dawes, Rogan (ZA - Johannesburg) (Dec 20)
- <Possible follow-ups>
- RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Siddik, Syaefullah (Dec 20)
  - RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug CDE Francis (Dec 26)