Microsoft Internet Explorer 5.5 ASCII equivalent of "%01" security vulnerability....

[Alp Sinan <alp () UK2 NET>]

The following security vulnerability has been found in 
Microsoft Internet Explorer version 5.5
When "
" (an undisplayable character, which is 
eaqual to the 1st caharacter in ASCII table - after the 
0th...) inserted in some strategic position in 
Javascript code ,it is possible to access to local files 
or to the IFRAMES DOM, cookies from other 
domains etc...

The "
" character also can be replaced by &#01...

The original "%01" bug was found by Georgi Guninski 
in various versions of IE and was patched later...
IE5.5 seemed that it is immune to the aforementioned 
bug...
But when the transformation done, it reveals 
important information...

There is another strange behaviour of IE that I came 
across:
When "%01" inserted in a script IE never loads the 
page fully, it does not display error message in most 
cases either.It seems that it is in an infinite loop 
between the task "Load the page" and "Don't load the 
page if it contains 'somewhere' '%01'..." This inspired 
me that '%01' has still a special meaning to the 
newest version of IE.... 

There are many CODES that can be applied... you 
can see them at http://horoznet.com/AlpSinan

Just one of them: this code will access Cookies of 
any domain....
(before testing this code replace  ! with i in the script 
tag)
<OBJECT
   classid="clsid:AE24FDAE-03C6-11D1-8B76-
0080C744F389" width="1024" height="500">
<PARAM NAME="URL" value="about:<iframe id=box 
src='http://lc2.law5.hotmail.passport.com/cgi-
bin/login' width='800' ></iframe><scr!pt>setTimeout
('alert(\'your cookie from hotmail 
\'+box.document.cookie)',10000) </scr!
pt>
http://lc2.law5.hotmail.passport.com/cgi-
bin/login">
</OBJECT>

"I in formed MICROSOFT security team via email but 
until now no feedback appeared"

Demonstration can be found at 
http://horoznet/AlpSinan

Alp Sinan