Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: December 19, 2001 Severity: High Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308; Q313675 Discussion: By simply using the document.open method and not using the document.close method you are able to: steal cookies; read local files that are parsable by IE(mime type text/html to be exact); and spoof sites. Exploits: http://www.osioniusx.com "cookieStealing.html" - This opens Yahoo.com and steals the cookie. "FileReading.html" - This opens up C:\test.txt and then reads it. "SiteSpoofing.html" - This spoofs www.chase.com -- chase.com is in the url, the title, and there is a link on the page to log on to your account which comes back to www.osioniusx.com. Potential Solution: Fix required on document.open method. Vendor Status: Emailed to "Secureat_private". __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 21:33:41 PST