[10188] in bugtraq
Re: IE 5.0 security vulnerabilities - %01 bug again
daemon@ATHENA.MIT.EDU (adam)
Tue Apr 13 12:44:31 1999
Date: Mon, 12 Apr 1999 22:59:36 -0700
Reply-To: adam <overstr@NWLINK.COM>
From: adam <overstr@NWLINK.COM>
X-To: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <370F8FB3.52ABB910@nat.bg>
Forgive me if this has been mentioned.
The bug also exists on ie 4. A similar one is possible with netscape.
On Sat, 10 Apr 1999, Georgi Guninski wrote:
> Eric Stevens wrote:
> >
> > Is there any way to exploit this with files that are not recognized as text.
>
> Yes, there is such a way. You must use TDC to read files with extensions
> different from .txt or .html.
>
> Demonstration of reading AUTOEXEC.BAT is available at:
> http://www.nat.bg/~joro/scrauto.html
>
> > Example, I tried modifying your code to c:\autoexec.bat and
> > c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat
> > file, I instead recieved an Open/Save As dialog. Open tries to execute the
> > bat file or edit the ini file in the temp folder where it was downloaded,
> > and save as does the obvious. This problem exists on both versions of IE5
> > that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build
> > 5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be
> > exploited against anything but text files as it's not terribly likely that
> > you have any sensitive information sitting around in text files whose names
> > are likely to be guessed.
> >
>
> Regards,
> Georgi Guninski
>
