msie4.01-jscript-security.txt

`Date: Thu, 28 Jan 1999 04:53:31 PST  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: Javascript %01 bug in Internet Explorer  
  
There is a Javascript security bug in Internet Explorer 4.x (patched),  
which circumvents "Cross-frame security" and opens several security  
holes.  
  
The problem is: if you add '%01someURL' after an 'about:somecode' URL,  
IE thinks that the document is  
loaded from the domain of 'someURL'. Very strange?  
  
Some of the bugs are:  
  
1) IE allows reading local files and sending them to an arbitrary  
server.  
The filename must be known.  
The bug may be exploited using HTML mail message.  
Demo is available at:  
http://www.geocities.com/ResearchTriangle/1711/read3.html  
  
2) IE allows "window spoofing".  
After visiting a hostile page (or clicking a hostile link) a window is  
opened and its  
location is a trusted site. However, the content of the window is not  
that of the original site,  
but it is supplied by the owner of the page. So, the user is misled he  
is browising  
a trusted site, while he is browsing a hostile page and may provide  
sensitive information,  
such as credit card number.  
The bug may be exploited using HTML mail message.  
Demo is available at:  
http://www.geocities.com/ResearchTriangle/1711/read4.html  
  
3) Reading AUTOEXEC.BAT using TDC.  
Demo is available at:  
http://www.geocities.com/ResearchTriangle/1711/read5.html  
  
Workaround: Disable Javascript  
  
Regards,  
Georgi Guninski  
TechnoLogica Ltd, Bulgaria  
  
http://www.geocities.com/ResearchTriangle/1711  
http://www.whitehats.com/guninski  
  
`