[15471] in bugtraq
Re: Force Feeding
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Jun 26 13:49:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000624175853.05960210@pop.mindspring.com>
Date: Sat, 24 Jun 2000 17:58:53 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <414102.961876827898.JavaMail.imail@goochy.excite.com>
At 01:00 PM 6/24/00 -0700, http-equiv@excite.com wrote:
>Create two sets of html messages:
>(a) one comprising the file to be delivered:
><frameset rows="10%,*">
><frame src="refresh.bat" >
></frameset>
I tried this one day with David Litchfield, and the file he sent ended up
in one of the temporary internet files folders. These are randomly named,
so this will tend to defuse any subsequent steps. If someone else gets
different results, I'd be interested in hearing about it.
>the file is delivered to the temp folder.
One work-around for this that I have long advocated is making the temporary
internet folders and the temp folders non-executable.
>Through the false link, they are then forced open the attached *.url
>which points to the C:\WINDOWS\TEMP\ where the delivered file waits.
This is Win9x specific, and although you can generally count on NT 4.0
having a c:\temp, Win2k has per-user temp directories, which complicate
this somewhat, and neither c:\temp or c:\windows\temp normally exist.
David LeBlanc
dleblanc@mindspring.com
