[ENG] Internet Explorer Document.Open() Without Close() Cookie Stealing,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Da bugtraq:

- --cut--
Subject: Internet Explorer Document.Open() Without Close() Cookie
Stealing, File Reading, Site Spoofing Bug


Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: December 19, 2001
Severity: High
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461; Q240308;
Q313675

Discussion: By simply using the document.open method
and not using the document.close method you are able
to: steal cookies; read local files that are parsable
by IE(mime type text/html to be exact); and spoof
sites.

Exploits: http://www.osioniusx.com

"cookieStealing.html" - This opens Yahoo.com and
steals the cookie.
"FileReading.html" - This opens up C:\test.txt and
then reads it.
"SiteSpoofing.html" - This spoofs www.chase.com  --
chase.com is in the url, the title, and there is a
link on the page to log on to your account which comes
back to www.osioniusx.com.


Potential Solution: Fix required on document.open
method.

Vendor Status: Emailed to "Secure@microsoft.com". 
- --cut--

- ---
Federico "SilentMan" Coppola
AzzurraNET IRC Administrator
http://www.azzurra.org/
http://www.2night.it/
PGP key: http://www.silentman.it/key/federico.asc


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCGLd2LLFDu4w4amEQKoEgCgx87Y86svq0UTYvSdD0buU6UeSBQAn0b3
WD3GLcEXbsezLqjXZYgzktVH
=Z1QX
-----END PGP SIGNATURE-----

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List