Bugtraq mailing list archives

IE 5.0 security vulnerabilities - %01 bug again

From: joro () NAT BG (Georgi Guninski)
Date: Fri, 9 Apr 1999 07:15:12 +0300


There is a security bug in Internet Explorer 5.0 which circumvents
"Cross-frame security" and
opens several security holes.

This is a modification of the "%01 security bug" (that was fixed in IE
5.0) I found in January.

The problem seems to be in the "Microsoft Scriptlet Component".
If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet
Component", IE thinks that the document is
loaded from the domain of 'someURL'.

Some of the vulnerabilities are:

1) IE allows reading local files and sending them to an arbitrary
server.
The filename must be known.

The bug may be exploited using HTML mail message.

Demo is available at: http://www.nat.bg/~joro/scriptlet.html

2) IE allows "window spoofing".
After visiting a hostile page (or clicking a hostile link) a window is
opened and its
location is a trusted site. However, the content of the window is not
that of the original site,
but it is supplied by the owner of the page. So, the user is misled he
is browising
a trusted site, while he is browsing a hostile page and may provide
sensitive information,
such as credit card number.

The bug may be exploited using HTML mail message.

Demo is available at: http://www.nat.bg/~joro/scrspoof.html


Workaround: Disable Javascript

Regards,
Georgi Guninski

Current thread:

IE 5.0 security vulnerabilities - %01 bug again Georgi Guninski (Apr 08)
- <Possible follow-ups>
- Re: IE 5.0 security vulnerabilities - %01 bug again Eric Stevens (Apr 09)
- Re: IE 5.0 security vulnerabilities - %01 bug again Ryan Russell (Apr 09)
- Re: IE 5.0 security vulnerabilities - %01 bug again Georgi Guninski (Apr 10)
  - Re: IE 5.0 security vulnerabilities - %01 bug again adam (Apr 12)