Vulnerability Development mailing list archives
Re: possible new "e-mail virus" concept ? + bypassing IE settings
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Thu, 18 May 2000 23:55:05 -0700
Jim Paris wrote:
This was not tested, but i think it might be possible to make a custom HTTP server that thinks "/../../../../../../file.bat" (or maybe "c:\file.bat") is valid, and when asked to send this file, it will not try to look in lower dirs to find the file, but simply will upload the file to the client. (I could use some %codes in the filename in the .html to scramble the dir and fool I.E.) That way, we might be able to save the temporary files in other dirs then "the temporary internet files" folder.That won't work. -jim
Agreed. Both IE and Netscape make up new filenames for things they cache, and keep a separate index file for their real names. I don't think creative naming by the server is going to get things placed where you want on the client disk. I love the who idea in general though, if you can find a way to trick the browser/user into executing the code. BB
Current thread:
- possible new "e-mail virus" concept ? + bypassing IE settings Zoa_Chien (May 18)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Jim Paris (May 18)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Blue Boar (May 18)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings A.T.Z. (May 19)
- chsh Segfault on FreeBSD 3.3 Fabio Pietrosanti (May 19)
- reverse engineer c or java kj (May 19)
- Re: reverse engineer c or java John Swensson (May 20)
- Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER SMILER (May 20)
- Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Blue Boar (May 20)
- Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Stuart Henderson (May 22)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Blue Boar (May 18)
- Re: reverse engineer c or java za () boo ma fu (May 20)
- Outlook, HTML & VBS Joerg Weber (May 21)
- Re: reverse engineer c or java Bluefish (May 21)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Jim Paris (May 18)