28 lines
No EOL
1.2 KiB
Text
28 lines
No EOL
1.2 KiB
Text
source: https://www.securityfocus.com/bid/197/info
|
|
|
|
On January 28, 1999, Georgi Guninski originally reported a vulnerability in Internet Explorer 4.x. Internet Explorer 4.x's implentation of Cross-frame security could be bypassed if "%01" is appended to an arbitrary URL. If the specially malformed URL is inserted in a javascript after an 'about:' statement, arbitrary code can be executed on the target host. Successful exploitation could lead to access to local files, window spoofing, and arbitrary code execution.
|
|
|
|
On October 6, 2000, Alp Sinan discovered that a variation of this vulnerability exists in Microsoft Internet Explorer 5.5. Instead of using "%01", the ASCII equivalents of "^A" or "" can be used instead.
|
|
|
|
Georgi Guninski <guninski@guninski.com> has set up the following demonstration pages:
|
|
|
|
Exploit through HTML mail message:
|
|
|
|
http://www.guninski.com/scriptlet.html
|
|
|
|
http://www.guninski.com/scrspoof.html
|
|
|
|
Exploit through TDC:
|
|
|
|
http://www.guninski.com/scrauto.html
|
|
|
|
Alp Sinan <alp@uk2.net> has set up the following demonstration pages:
|
|
|
|
Reading of local files:
|
|
http://horoznet.com/AlpSinan/localread.htm
|
|
|
|
Window spoofing:
|
|
http://horoznet.com/AlpSinan/webspoof.htm
|
|
|
|
Cross-frame security circumvention
|
|
http://horoznet.com/AlpSinan/crossframe.htm |