Bugtraq mailing list archives
RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug
From: "Siddik, Syaefullah" <Syaefullah_Siddik () fmi com>
Date: Thu, 20 Dec 2001 15:05:03 +0900
Confirmed on IE 5.50.4807.2300, 3 of them work! :( SOL, Dike
-----Original Message----- From: the Pull [mailto:osioniusx () yahoo com] Sent: Thursday, December 20, 2001 8:59 AM To: bugtraq () securityfocus com Subject: Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: December 19, 2001 Severity: High Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308; Q313675 Discussion: By simply using the document.open method and not using the document.close method you are able to: steal cookies; read local files that are parsable by IE(mime type text/html to be exact); and spoof sites. Exploits: http://www.osioniusx.com "cookieStealing.html" - This opens Yahoo.com and steals the cookie. "FileReading.html" - This opens up C:\test.txt and then reads it. "SiteSpoofing.html" - This spoofs www.chase.com -- chase.com is in the url, the title, and there is a link on the page to log on to your account which comes back to www.osioniusx.com. Potential Solution: Fix required on document.open method. Vendor Status: Emailed to "Secure () microsoft com".
Current thread:
- RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Dawes, Rogan (ZA - Johannesburg) (Dec 20)
- <Possible follow-ups>
- RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug Siddik, Syaefullah (Dec 20)