Confirmed on IE 5.50.4807.2300, 3 of them work! :( SOL, Dike > -----Original Message----- > From: the Pull [mailto:osioniusx@yahoo.com] > Sent: Thursday, December 20, 2001 8:59 AM > To: bugtraq@securityfocus.com > Subject: Internet Explorer Document.Open() Without Close() Cookie > Stealing, File Reading, Site Spoofing Bug > > > Class: Failure to Handle Exceptional Conditions > Remote: Yes > Local: Yes > Found: December 19, 2001 > Severity: High > Vulnerable: IE 6.0.2600.0000 > + Windows 2000 Update Versions: Q312461; Q240308; > Q313675 > > > > > Discussion: By simply using the document.open method > and not using the document.close method you are able > to: steal cookies; read local files that are parsable > by IE(mime type text/html to be exact); and spoof > sites. > > Exploits: http://www.osioniusx.com > > "cookieStealing.html" - This opens Yahoo.com and > steals the cookie. > "FileReading.html" - This opens up C:\test.txt and > then reads it. > "SiteSpoofing.html" - This spoofs www.chase.com -- > chase.com is in the url, the title, and there is a > link on the page to log on to your account which comes > back to www.osioniusx.com. > > > Potential Solution: Fix required on document.open > method. > > Vendor Status: Emailed to "Secure@microsoft.com". >
