[10179] in bugtraq
Re: IE 5.0 security vulnerabilities - %01 bug again
daemon@ATHENA.MIT.EDU (Ryan Russell)
Mon Apr 12 16:26:27 1999
Date: Fri, 9 Apr 1999 15:05:07 -0700
Reply-To: Ryan Russell <Ryan.Russell@SYBASE.COM>
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
X-To: Eric Stevens <ejsteven@CS.MILLERSV.EDU>
To: BUGTRAQ@NETSPACE.ORG
Since it's an NT box, did you try using the ::$DATA
feature in conjunction with this bug?
Ryan
Is there any way to exploit this with files that are not recognized as text.
Example, I tried modifying your code to c:\autoexec.bat and
c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat
file, I instead recieved an Open/Save As dialog. Open tries to execute the
bat file or edit the ini file in the temp folder where it was downloaded,
and save as does the obvious. This problem exists on both versions of IE5
that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build
5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be
exploited against anything but text files as it's not terribly likely that
you have any sensitive information sitting around in text files whose names
are likely to be guessed.
