[29062] in bugtraq
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II
daemon@ATHENA.MIT.EDU (Jens Knoell)
Wed Feb 26 16:55:01 2003
Message-ID: <001101c2dd28$b7e84c80$0264a8c0@wombie>
From: "Jens Knoell" <jens@ing.twinwave.net>
To: <http-equiv@malware.com>, <bugtraq@securityfocus.com>
Date: Tue, 25 Feb 2003 16:50:44 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
http-equiv@excite.com <http-equiv@malware.com> wrote:
> [...]
> Because it is an html file proper, Internet Explorer opens it. The
> scripting inside is then parsed and fired. That scripting is pointing
> back to the same executable file with our original codebase object
> from the year 2000 and because it is a self-executing html file, it
> executes !
>
> Tested IE5.5 and IE6. Fully self-contained harmless *.exe:
>
> http://www.malware.com/html.exe.zip
>
> Be aware of html files out there.
>
> Key Words: Trust it's Worthy so Think it's Tank silly obvious
This does not seem to work for me if done via webserver. It works like a
charm locally, so it might be worthwile adding that this is only useful as
an attached HTML (in an email, for example).
Jens
