[12509] in bugtraq
Re: IE4/5 "file://" buffer overflow
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Wed Nov 10 12:44:24 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <382883D7.744BDF80@enternet.se>
Date: Tue, 9 Nov 1999 21:28:07 +0100
Reply-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
From: Mikael Olsson <mikael.olsson@ENTERNET.SE>
X-To: UNYUN <shadowpenguin@BACKSECTION.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi! A couple of questions....
First of all, does this happen just by viewing the page, or do
you have to click the link?
If you have to click the link to get it to work, one might
want to look into using:
1. Javascript redirect (document.location="file://AAAAA...")
2. Meta refresh tags
3. DownloadBehaviour?
4. Server Redirects (Location: file:/AAAAA...);
Having an exploit go off by clicking on a file:// link is bad in
and of itself. Having it go off just by viewing the page/email that
contains the file:// link is the "Good Times"/"Win a vacation" virus
hoax come true.
On a side note:
The server redirect thing would not provide direct execution,
but could be used to to hide the fact that the link you're about
to click is suspicious.
Yum :-P
/Mike
UNYUN wrote:
>
> Hello
>
> Microsoft Internet Explorer 4/5 overflows when the handling of
> "file://" specification. This overflow occurs when we are logging on to
> the Microsft Network, this overflow can be verified if the long name is
> specfied to the "file://". For example,
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 VRNSKVLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se
