Affects latest 5.5 SP2 patched version on Win2k as well. PLUS, if you use an "https://"; URL, it also shows THAT in the location bar. Naturally, there are no SSL indicators (padlock, Secure properties, etc). For the paranoid among us (i.e. you have the alerts turned on), IE DOES warn that you are entering and then LEAVING a secure session, but the fact remains that the Location field shows "https://"; Ooops! It doesn't seem to work for documents containing frames, however. And you can get the logo to stop spinning by doing the document.close inside the timeout call. (If you look at the source of the spoofed page demo, you'll see what I mean.) Rogan > -----Original Message----- > From: the Pull [mailto:osioniusx@yahoo.com] > Sent: 20 December 2001 01:59 > To: bugtraq@securityfocus.com > Subject: Internet Explorer Document.Open() Without Close() Cookie > Stealing, File Reading, Site Spoofing Bug > > > Class: Failure to Handle Exceptional Conditions > Remote: Yes > Local: Yes > Found: December 19, 2001 > Severity: High > Vulnerable: IE 6.0.2600.0000 > + Windows 2000 Update Versions: Q312461; Q240308; > Q313675 > > > > > Discussion: By simply using the document.open method > and not using the document.close method you are able > to: steal cookies; read local files that are parsable > by IE(mime type text/html to be exact); and spoof > sites. > > Exploits: http://www.osioniusx.com > > "cookieStealing.html" - This opens Yahoo.com and > steals the cookie. > "FileReading.html" - This opens up C:\test.txt and > then reads it. > "SiteSpoofing.html" - This spoofs www.chase.com -- > chase.com is in the url, the title, and there is a > link on the page to log on to your account which comes > back to www.osioniusx.com. > > > Potential Solution: Fix required on document.open > method. > > Vendor Status: Emailed to "Secure@microsoft.com". > > > > > > > > __________________________________________________ > Do You Yahoo!? > Check out Yahoo! Shopping and Yahoo! Auctions for all of > your unique holiday gifts! Buy at http://shopping.yahoo.com > or bid at http://auctions.yahoo.com >
