Re: File extensions spoofable in MSIE download dialog

["cube" <chef () cube blinx de>]

> Von: chef [mailto:chef () cube blinx de] 
> Gesendet: Donnerstag, 29. November 2001 19:03
>
> > Von: StatiC [mailto:static () tampabay rr com]
> > Gesendet: Donnerstag, 29. November 2001 03:52
> >
> > I was playing with apache configs a few months ago and
> > noticed a similar issue with IE5.5.  The procodure below will 
> > cause IE5.5 to display the open dialog for readme.txt but 
> > once opened, it executes immediately on IE5.5 sp2 with no 
> > hint that it is really getting an executable file called 
> > calc.exe.  I only tested it with IE5.5.
>
> I testet it right now, with IE6; Q312461 / WinXP and i think 
> there is no problem at all.
>
> First a question for text.txt pops up and when i say "open"
> a second message with question for save / open pops up.
> This second popup tells the right name "calc.exe" .
> Finally when i say "open" it opens the calculator.
>
> For testing: http://www.geilerserver.de/text.txt
>
> > Why does microsoft think it is wise to trust the filename in
> > the url over what the header content-type is set to for 
> > display purposes since the content-type seems to take 
> > priority for what will really happen with the file.
>
> I think that's only a Problem of older Versions.

Hello,

I tryed with Win98 5.5 SP2; Q312461 and can confirm the "Sec. hole"

Only the first "text.txt" dialog pop-up's and if i choose "open" 
the "calc.exe" will be executed.
It crashes on win98, becouse it's from XP, but thats another thing.

^cUbE^