Bugtraq mailing list archives
Re: IE 5.0 allows reading and sending local files to a remote
From: frohicky () TECHNOLOGIST COM (Andrew Tulloch)
Date: Wed, 31 Mar 1999 09:14:47 +0100
If you look under scripting options in security settings there is the option "Allow paste via script" simply turning this to disabled provides this result: <paste> See the contents of your file among the other stuff ---------------------------------------------------------------------------- ---- -----------------------------7cf26c3b6a8 Content-Disposition: form-data; name = "a"; filename="" Content-Type: application/octet-stream -----------------------------7cf26c3b6a8-- </paste> which as far as I see has disabled the reading of local files and is a little less drastic than disabling all JavaScript. Regards, Andrew Tulloch
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of Georgi Guninski Sent: 30 March 1999 17:35 To: BUGTRAQ () netspace org Subject: IE 5.0 allows reading and sending local files to a remote server There is a security bug in Internet Explorer 5.0, which allows reading and sending local files to a remote server. The problem is a bug in the DHTML edit control, which allows pasting a filename in a FILE object. When the form is submitted via JavaScript, the contents of the file are sent to a remote server. Demonstration is available at: http://www.nat.bg/~joro/fr.html Workaround: Disable JavaScript I would like to thank Juan Cuartango (http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE exploits, which helped me a lot for discovering this vulnerability! Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Re: Melissa Macro Virus, (continued)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Nick FitzGerald (Mar 29)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Kuo, Jimmy (Mar 26)
- Re: Melissa Macro Virus Jim Reavis (Mar 26)
- Re: Melissa Macro Virus Doug Granzow (Mar 29)
- Re: Melissa Macro Virus Brett Glass (Mar 28)
- Bug in xfs Lukasz Trabinski (Mar 29)
- ICQ Webserver bug Kerb (Mar 29)
- IE 5.0 allows reading and sending local files to a remote server Georgi Guninski (Mar 30)
- Excel Virus Seree Visitseelwat (Mar 30)
- Re: IE 5.0 allows reading and sending local files to a remote Andrew Tulloch (Mar 31)
- Procmail scanning for hostile macros in Microsoft document e-mail John D. Hardin (Mar 31)
- Excel variant of Melissa Marcel de Haas (Mar 30)
- Re: Excel variant of Melissa Ken Pfeil (Mar 31)
- Bug in xfs Lukasz Trabinski (Mar 29)
- Re: Bug in xfs Roman Drahtmueller (Mar 30)
- Re: Bug in xfs Matthieu Herrb (Mar 30)
- Re: Bug in xfs Juha Virtanen (Mar 30)
- Re: Bug in xfs Alan Cox (Mar 31)
- [support_feedback () us-support external hp com: Security Bulletins Patrick Oonk (Mar 31)
- Re: Melissa Macro Virus Brett Glass (Mar 30)