Microsoft IE PPC Overwrite Arbitrary Files

1997-08-29T00:00:00
ID OSVDB:3104
Type osvdb
Reporter OSVDB
Modified 1997-08-29T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer (PPC version on Macintosh) contains a flaw that allows a remote attacker to overwrite arbitrary files with custom data. The flaw is due to IE not checking FORM ACTION content and accepting file:// arguments. INPUT NAME data specified in the FORM request is then written to the specified file, deleting whatever data is already present.

Technical Description

This is confirmed on MSIE 3.0 PPC (Macintosh) Edition, but has not been verified on the Windows platform.

Solution Description

Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Microsoft Internet Explorer (PPC version on Macintosh) contains a flaw that allows a remote attacker to overwrite arbitrary files with custom data. The flaw is due to IE not checking FORM ACTION content and accepting file:// arguments. INPUT NAME data specified in the FORM request is then written to the specified file, deleting whatever data is already present.

Manual Testing Notes

A sample HTML document to demonstrate:

<FORM ACTION="file:///Hard_Disk/Desktop%20Folder/Untitled.html" METHOD="POST"> <INPUT NAME="This could have overwritten anything!" TYPE=Hidden> <Input Type=Submit> </FORM>

The file Hard_Disk:Desktop Folder:Untitled.html gets written or overwritten, and recieves the following contents:

This+could+have+overwritten+anything%21=

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1997_3/0370.html