Fw: [VULN-DEV] [bug]: Cause IE 5.X to crash

["Vitaly Osipov" <vosipov () wolfegroup ie>]

it did not go through that time (when listserv had problems), so i repost
it...



> I asked a friend who likes playing with betas to check in on msie 6.0 -
the
> result is crash, and the automated bug report says following:
>
> AppName: iexplore.exe AppVer: 6.0.2463.52 ModName: msieftp.dll
>
> ModVer: 5.50.4522.1800 Offset: 0000b8dc
>
>
>
> so it's the problem in msieftp.dll
>
>
>
> regards,
>
> W.
>
>
>
>
> ----- Original Message -----
> From: "Uidam, T (Tim)" <Tim.Uidam () SYD RABOBANK COM>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Wednesday, May 09, 2001 6:29 AM
> Subject: Re: [VULN-DEV] [bug]: Cause IE 5.X to crash
>
>
> > Thanks to all who picked me up on that, but I definitely tested it (and
> then
> > re-tested) with two slashes, not just one... sorry for the confusion,
just
> a
> > typo...
> >
> > Anyway, I have a theory behind why mine (and others) didn't crash when
> > receiving the dodgy URL:
> > I do *not* have the Internet Explorer's Browsing Enhancements
installed...
> > that's the part that renders FTP sites to look like the typical Explorer
> > file system...
> >
> > Considering that IE's Browsing Enhancements tries so hard to interact
with
> > the system explorer (and fails at it's job of being an FTP client so
> > often!), it's kinda not suprising that it crashes with an invalid
request
> > like that...
> >
> > I don't have a machine handy that i can test the Before/After effects of
> > installing IE Browsing Enhancement... perhaps someone could get back the
> the
> > list with their results? :)
> >
> > Hope this helps :)
> >
> > Regards,
> > Tim.
> >
> > -----Original Message-----
> > From: Usman Akeju [mailto:manus () MIT EDU]
> > Sent: Tuesday, 8 May 2001 19:42
> > Cc: Uidam, T (Tim); VULN-DEV () securityfocus com
> > Subject: Re: [bug]: Cause IE 5.X to crash
> >
> >
> > Hey all,
> >
> > Tim Uidam and Nick Jacobsen:
> >
> > Note the "//" after the server name (TWO slashes)..
> >
> > ftp://whatever/.#./ != ftp://whatever//.#./
> >                                       ^
> > I tried this and some other weird stuff on my box and discovered that
> simply
> > typing or pasting any form of ftp://*//#./ OR ftp://*//?./ (leading "."
is
> > unnecessary, and "?" works in place of "#") into IE's Address Bar will
> cause
> > a crash, though without the trailing slash or some form of AutoComplete
> > enabled (which is the way it would crash by just typing it, for some
> reason)
> > it would require pressing the Enter key before anything happened.
> >
> > Also, some of the "weird stuff" I tried involved other protocols, but
> > nothing
> > else I tried worked-- except for ANY "<n>ftp://"; protocol
> (existant/standard
> > or not), where <n> is any single letter or number, though the crash
would
> > occur only after pressing the Enter key.  This suggests that msieftp.dll
> > needs some serious recoding or patching by the MS software team.  Maybe
> it's
> > not completely RFC 2396/2718 compliant?
> >
> > I was unable to reproduce this behavior via Start->Run at all.
> >
> > Running Win98SE 4.10.2222A using IE 5.50.4522.1800 SP1
+Q297328,q283908,Q286045,q290108,Q286043
> > On an unrelated(?) note (ie., more "weird stuff"), when testing IE's
> > "file://" protocol for this bug, I created the folder
> "c:\windows\desktop\#"
> > and typed in "file:///C|\windows\desktop\#" which worked fine and opened
> the
> > folder in the browser window.  I also tried it with a trailing slash
> > ("file:///C|\windows\desktop\#\"), and got an error message saying that
> > Windows could not find the directory, which doesn't happen for any other
> > directory (though I haven't tested all of the strange folder/filename
> > possibilities).  I thought it was a bit strange.
> >
> > On definitely unrelated note.. what's with IE's interperetation of the
> URL:
> >  about:<meta%20http-equiv="refresh"%20content="0;url=about:<meta%20http-
> >        equiv=refresh%20content=0;url='Insert_TEXT_or_HTML_here'">
> > ?
> >
> > The result is pretty funky (refreshes until URI reaches 2083
characters).
> > Heh.. fun with recursion.
> >
> > -Us
> > ;]
> >
> > -------- Original Message --------
> > Subject: Re: [bug]: Cause IE 5.X to crash
> > Date: Mon, 7 May 2001 08:07:45 +0800
> > From: "Uidam, T (Tim)" <Tim.Uidam () SYD RABOBANK COM>
> > Reply-To: "Uidam, T (Tim)" <Tim.Uidam () SYD RABOBANK COM>
> > To: VULN-DEV () securityfocus com
> >
> > NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5.
> >
> > Nope, not even the tiniest glitch. If a valid FTP address is put in
place
> of
> > "whatever" it simply displays the FTP root in the browser window.
> >
> > Running ftp://whatever/.#./ from Start/Run launches IE, and displays
> "cannot
> > Find Server" with ftp://whatever// in the address bar.
> >
> >
> > Hope this helps! :)
> >
> > Tim.
> >
> > ==================================================================
> > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> > de afzender direct te informeren door het bericht te retourneren.
> > ==================================================================
> > The information contained in this message may be confidential
> > and is intended to be exclusively for the addressee. Should you
> > receive this message unintentionally, please do not use the contents
> > herein and notify the sender immediately by return e-mail.
> >
> >
> > ==================================================================