[10173] in bugtraq
Re: IE 5.0 security vulnerabilities - %01 bug again
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Mon Apr 12 16:26:20 1999
Date: Sat, 10 Apr 1999 20:51:47 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To: Eric Stevens <ejsteven@CS.MILLERSV.EDU>
To: BUGTRAQ@NETSPACE.ORG
Eric Stevens wrote:
>
> Is there any way to exploit this with files that are not recognized as text.
Yes, there is such a way. You must use TDC to read files with extensions
different from .txt or .html.
Demonstration of reading AUTOEXEC.BAT is available at:
http://www.nat.bg/~joro/scrauto.html
> Example, I tried modifying your code to c:\autoexec.bat and
> c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat
> file, I instead recieved an Open/Save As dialog. Open tries to execute the
> bat file or edit the ini file in the temp folder where it was downloaded,
> and save as does the obvious. This problem exists on both versions of IE5
> that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build
> 5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be
> exploited against anything but text files as it's not terribly likely that
> you have any sensitive information sitting around in text files whose names
> are likely to be guessed.
>
Regards,
Georgi Guninski
