Bugtraq mailing list archives

Re: IE 5.0 security vulnerabilities - %01 bug again

From: overstr () NWLINK COM (adam)
Date: Mon, 12 Apr 1999 22:59:36 -0700


Forgive me if this has been mentioned.

The bug also exists on ie 4.  A similar one is possible with netscape.

On Sat, 10 Apr 1999, Georgi Guninski wrote:

Eric Stevens wrote:


Is there any way to exploit this with files that are not recognized as text.


Yes, there is such a way. You must use TDC to read files with extensions
different from .txt or .html.

Demonstration of reading AUTOEXEC.BAT is available at:
http://www.nat.bg/~joro/scrauto.html

Example, I tried modifying your code to c:\autoexec.bat and
c:\winnt\win.ini.  Instead of displaying the contents of my autoexec.bat
file, I instead recieved an Open/Save As dialog.  Open tries to execute the
bat file or edit the ini file in the temp folder where it was downloaded,
and save as does the obvious.  This problem exists on both versions of IE5
that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build
5.00.1877], and 5.00.2014.0216 [a public release].  Hopefully this can't be
exploited against anything but text files as it's not terribly likely that
you have any sensitive information sitting around in text files whose names
are likely to be guessed.


Regards,
Georgi Guninski

Current thread:

IE 5.0 security vulnerabilities - %01 bug again Georgi Guninski (Apr 08)
- <Possible follow-ups>
- Re: IE 5.0 security vulnerabilities - %01 bug again Eric Stevens (Apr 09)
- Re: IE 5.0 security vulnerabilities - %01 bug again Ryan Russell (Apr 09)
- Re: IE 5.0 security vulnerabilities - %01 bug again Georgi Guninski (Apr 10)
  - Re: IE 5.0 security vulnerabilities - %01 bug again adam (Apr 12)