RE: File extensions spoofable in MSIE download dialog

From: Jouko Pynnonen (jouko@solutions.fi)
Date: 11/26/01 

Date: Mon, 26 Nov 2001 20:51:11 +0200 (EET)
From: Jouko Pynnonen <jouko@solutions.fi>
To: "Jonathan G. Lampe" <jonathan@stdnet.com>
Subject: RE: File extensions spoofable in MSIE download dialog
Message-ID: <Pine.LNX.4.33.0111262025330.7271-100000@lissu.solutions.fi>

On Mon, 26 Nov 2001, Jonathan G. Lampe wrote:

> I could not reproduce this problem with semi-current versions of the latest
> browsers.

[snip]

> I tried the following four variations in my test: (Comment/uncomment the
> lines!)
> 1. Bogus Content Type, No Attachment Header
> 2. octet Content Type, No Attachment Header
> 3. Bogus Content Type, Attachment Header
> 4. octet Content Type, Attachment Header

Some details needed for reproducing and exploiting the flaw were left
out of my posting because there is no good workaround or a patch
available, and the flaw could be quite easily used maliciously. Using
those details it would be relatively easy to create a worm that infects a
system when a user "opens" a plain text file from an infected website,
for instance. For the same reason there wasn't any test page URL included
in my posting. That, and technical details will be published later. 

-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com