Bugtraq mailing list archives
Re: File extensions spoofable in MSIE download dialog
From: static () tampabay rr com
Date: Fri, 30 Nov 2001 19:38:37 -0500
Other people have emailed me that the vulnerability I described causes IE6.0 to not give a security warning about executing the .exe like IE5.0 does. In my testing with IE6.0, just clicking on an calc.exe directly does not even give a security warning either. I dont know much about IE6.0 yet, so maybe someone else will have an answer that can explain why the default config of IE6.0 does not produce the security warning that older versions did when clicking on an .exe directly and choosing open. The bigger issue to me is how vulnerable IE5.5 sp2. And to keep people from emailing me telling me thier IE5.5 does have have the vulnerability I described using the readme.txt php script... IE5.5 sp2 is the only version of IE5.5 that will run the executable without first prompting the user with the real .exe filename so far found(have not tested IE5.5 sp1). It is rather interesting that IE5.5 without any service pack does not have the vulnerability. It appears sp2(maybe sp1?) broke something that made this vulnerability possible. I have to wonder if this is a seperate vulnerability with IE5.5 sp2 than what the initial poster alerted us to. Until he realeases more info I guess we will never know. StatiC On Fri, Nov 30, 2001 at 01:07:05PM +1100, Paul Szabo wrote:
chef () cube blinx de wrote:I testet it right now, with IE6; Q312461 / WinXP and i think there is no problem at all. First a question for text.txt pops up and when i say "open" a second message with question for save / open pops up. This second popup tells the right name "calc.exe" . Finally when i say "open" it opens the calculator. For testing: http://www.geilerserver.de/text.txtand static () tampabay rr com confirmed:It appears only IE5.5 has this problem. I just tested with IE5.0 sp2 and IE6 and both of those version prompt and wait for user intervention for readme.txt and then wait a second time while prompting to ask to open/saveas calc.exe.I still see a problem with IE6. The first dialog says: You are downloading text.txt ... Open Save Cancel If I choose to save, then the file dialog shows the name calc.exe, but I may not pay attention to that; and when it finishes it says: Download complete Saved: calc.exe ... Open OpenFolder Close and if I choose to open then it runs the rogue application. Unless the user pays attention to the names shown, he may unwittingly run the rogue application; there is no extra security popup. Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- Re: File extensions spoofable in MSIE download dialog static (Dec 02)
- <Possible follow-ups>
- Re: File extensions spoofable in MSIE download dialog cube (Dec 05)
- RE: File extensions spoofable in MSIE download dialog Yngve Ã…dlandsvik (Dec 12)