[23398] in bugtraq
Re: File extensions spoofable in MSIE download dialog
daemon@ATHENA.MIT.EDU (cube)
Wed Dec 5 14:28:34 2001
From: "cube" <chef@cube.blinx.de>
To: <bugtraq@securityfocus.com>
Date: Tue, 4 Dec 2001 19:11:59 +0100
Message-ID: <000a01c17cef$2a6fc300$a21a73c2@blinx.de>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <000001c17900$21868730$a21a73c2@blinx.de>
> Von: chef [mailto:chef@cube.blinx.de]
> Gesendet: Donnerstag, 29. November 2001 19:03
>
> > Von: StatiC [mailto:static@tampabay.rr.com]
> > Gesendet: Donnerstag, 29. November 2001 03:52
> >
> > I was playing with apache configs a few months ago and
> > noticed a similar issue with IE5.5. The procodure below will
> > cause IE5.5 to display the open dialog for readme.txt but
> > once opened, it executes immediately on IE5.5 sp2 with no
> > hint that it is really getting an executable file called
> > calc.exe. I only tested it with IE5.5.
>
> I testet it right now, with IE6; Q312461 / WinXP and i think
> there is no problem at all.
>
> First a question for text.txt pops up and when i say "open"
> a second message with question for save / open pops up.
> This second popup tells the right name "calc.exe" .
> Finally when i say "open" it opens the calculator.
>
> For testing: http://www.geilerserver.de/text.txt
>
> > Why does microsoft think it is wise to trust the filename in
> > the url over what the header content-type is set to for
> > display purposes since the content-type seems to take
> > priority for what will really happen with the file.
>
> I think that's only a Problem of older Versions.
Hello,
I tryed with Win98 5.5 SP2; Q312461 and can confirm the "Sec. hole"
Only the first "text.txt" dialog pop-up's and if i choose "open"
the "calc.exe" will be executed.
It crashes on win98, becouse it's from XP, but thats another thing.
^cUbE^
