RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug

From: Sid***, Syaefullah (Syaefullah_Sid***@fmi.com)
Date: 12/20/01 

From: "Sid***, Syaefullah" <Syaefullah_Sid***@fmi.com>
To: bugtraq@securityfocus.com
Date: Thu, 20 Dec 2001 15:05:03 +0900

Confirmed on IE 5.50.4807.2300, 3 of them work! :(

SOL,
Dike

> -----Original Message-----
> From: the Pull [mailto:osioniusx@yahoo.com]
> Sent: Thursday, December 20, 2001 8:59 AM
> To: bugtraq@securityfocus.com
> Subject: Internet Explorer Document.Open() Without Close() Cookie
> Stealing, File Reading, Site Spoofing Bug
>
>
> Class: Failure to Handle Exceptional Conditions
> Remote: Yes
> Local: Yes
> Found: December 19, 2001
> Severity: High
> Vulnerable: IE 6.0.2600.0000
> + Windows 2000 Update Versions: Q312461; Q240308;
> Q313675
>
>
>
>
> Discussion: By simply using the document.open method
> and not using the document.close method you are able
> to: steal cookies; read local files that are parsable
> by IE(mime type text/html to be exact); and spoof
> sites.
>
> Exploits: http://www.osioniusx.com
>
> "cookieStealing.html" - This opens Yahoo.com and
> steals the cookie.
> "FileReading.html" - This opens up C:\test.txt and
> then reads it.
> "SiteSpoofing.html" - This spoofs www.chase.com --
> chase.com is in the url, the title, and there is a
> link on the page to log on to your account which comes
> back to www.osioniusx.com.
>
>
> Potential Solution: Fix required on document.open
> method.
>
> Vendor Status: Emailed to "Secure@microsoft.com".
>