[NT] Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, and Site Spoofing Bug

From: support@securiteam.com
Date: 12/20/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 20 Dec 2001 09:47:08 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explorer Document.Open() Without Close() Cookie Stealing, File
Reading, and Site Spoofing Bug
------------------------------------------------------------------------

SUMMARY

By simply using the document.open method without document.close, an
attacker can steal cookies, read local files that are parse-able by
Internet Explorer (mime type text/html to be exact), and spoof sites.

DETAILS

Vulnerable systems:
Internet Explorer 6.0

Demonstrations:
The following demonstrations are available at:
 <http://www.osioniusx.com> http://www.osioniusx.com

"cookieStealing.html" - This opens Yahoo.com and steals the cookie.
"FileReading.html" - This opens up C:\test.txt and then reads it.
"SiteSpoofing.html" - This spoofs www.chase.com (a bank) - chase.com is in
the URL, the title, and there is a link on the page to log on to your
account that comes back to www.osioniusx.com.

ADDITIONAL INFORMATION

The information has been provided by <mailto:osioniusx@yahoo.com> the
Pull.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Internet Explorer JavaScript Modeless Popup DoS
    ... endless loop and rendering the internet explorer useless. ... Place this Code into an HTML file called exploit.html: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] DoS in Multiple IE Versions (Self-Referenced Directives)
    ... to completely crash Internet Explorer. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] Microsoft Internet Explorer and mshtml.dll Nested OBJECT Tag DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer and mshtml.dll Nested OBJECT Tag DoS ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] MSIE URL Buffer Overflow using Greek Characters
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in Internet Explorer has been found, ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Internet Explorer 6 Problems
    ... %windir%\Network Diagnostic\xpnetdiag.exe (file missing) ... Windows Defender and/or Spybot Search & ... How to manage Internet Explorer add-ons in Windows XP Service Pack 2 ... The Internet Explorer that opens up is also very buggy and ...
    (microsoft.public.windows.inetexplorer.ie6.browser)