[23585] in bugtraq
RE: Internet Explorer Document.Open() Without Close() Cookie Stea
daemon@ATHENA.MIT.EDU (Siddik, Syaefullah)
Thu Dec 20 20:56:34 2001
Message-ID: <2D099894EB2F6746A44DD06C44F6D5E7243339@irja-exch2.tpra.fmi.com>
From: "Siddik, Syaefullah" <Syaefullah_Siddik@fmi.com>
To: bugtraq@securityfocus.com
Date: Thu, 20 Dec 2001 15:05:03 +0900
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Confirmed on IE 5.50.4807.2300, 3 of them work! :(
SOL,
Dike
> -----Original Message-----
> From: the Pull [mailto:osioniusx@yahoo.com]
> Sent: Thursday, December 20, 2001 8:59 AM
> To: bugtraq@securityfocus.com
> Subject: Internet Explorer Document.Open() Without Close() Cookie
> Stealing, File Reading, Site Spoofing Bug
>
>
> Class: Failure to Handle Exceptional Conditions
> Remote: Yes
> Local: Yes
> Found: December 19, 2001
> Severity: High
> Vulnerable: IE 6.0.2600.0000
> + Windows 2000 Update Versions: Q312461; Q240308;
> Q313675
>
>
>
>
> Discussion: By simply using the document.open method
> and not using the document.close method you are able
> to: steal cookies; read local files that are parsable
> by IE(mime type text/html to be exact); and spoof
> sites.
>
> Exploits: http://www.osioniusx.com
>
> "cookieStealing.html" - This opens Yahoo.com and
> steals the cookie.
> "FileReading.html" - This opens up C:\test.txt and
> then reads it.
> "SiteSpoofing.html" - This spoofs www.chase.com --
> chase.com is in the url, the title, and there is a
> link on the page to log on to your account which comes
> back to www.osioniusx.com.
>
>
> Potential Solution: Fix required on document.open
> method.
>
> Vendor Status: Emailed to "Secure@microsoft.com".
>
