Re: Is it safe to open a text file in Internet Explorer?

From: Jim Carlock (anonymous_at_localhost)
Date: 03/12/05 

Date: Sat, 12 Mar 2005 08:41:30 -0500

Galen,

You can do what you like with the source code there. It's
free for the taking. LOL like it's worth anything. All it does
is place a ListView (mscomctrl.ocx) on a blank form. I was
typing the extension info and such from memory so it's exactly
as you've described it (unless you've described it wrong). <g>

Those are links on the page were other issues last year and
are completely unrelated and not worth bothering with. They
were resolved.

You can do whatever you like with them. LOL Like I could
put a patent or trademark on such code, an empty form with
an empty ListView on it. That would be like putting a patent on
the CR character. Hmmm... <snicker>

Which someone might have. IBM had CRLF patented, Digital
or somesuch had LFCR patented or somesuch. That's why
Unix started using a single character for the CRLF sequence.
<shrug> Read the rest inline below.

"Galen" wrote:
Jim Carlock had this to say:
> Don't bother with the Error 1 stuff or Error 2 stuff there.
> They'll just confuse things.

> Anyhow, what I'm going to get to here, is this is a flaw...
> No doubt about that. It's certainly a flaw and NEEDS
> to be reported ASAP.
>
> However, the question was, and remains, is this a security
> risk? I'm going to hope that I have your permission to explore
> this further. I didn't see any copyright notice and the source is
> freely available, at any time you can request I not do so if you'd
> like however. I would honor such requests...

Heh, before anyone patents it I declare it public property if I
have such rights to do so, and I declare it in the public domain,
and no one has a right to patent it. That's all I'll say about that.

> What is odd, in the thread from the tinyurl link:
>
> "Download it to your disk, change the extension, then SendTo
> Internet Explorer. With .gif, or .jpg you get a missing picture
> look. With a .bmp extension you get an error message that it
> is NOT a bitmap. With .txt you get what you indicated. With
> an .html or .htm extension it appears similar to blank.htm. With
> an .xml extension you get "The XML page cannot be displayed."."
>
> When I opened the link in IE I got the XML page error:
> *****************************************************
> XML Page cannot be displayed
>
> Cannot view XML input using style ***. Please correct the error and then
> click the Refresh button, or try again later.
> *****************************************************

> That was with the .txt extension... The real question is, is this flaw
> capable of executing an unsafe file? No? I really HATE to give a
> certain answer here. I've read, re-read, Googled, and MSN
> searched -- MSN search is getting pretty good by the way -- and
> I really want to say "NO" but I've always been skeptical. In this case
> that means that I don't THINK that there's potential for exploitation
> by NORMAL means for this nor any known at this time. However
> it needs more research...

NOTE: It seems to be showing itself properly when it's on the hard
disk and viewed as a localized file. Bahh! I can't duplicate the problem
I had yesterday... It still gives the error message when viewed off
the website, but maybe I'm going mad. When I put it on my HDD
and try to view it... hmm, maybe I should clear the cache.<g> Bahh!

The link is placed for folks to right click and down load to their system.
http://microcosmotalk.com/images/xpsp6/report.txt

> IF you do NOT mind there's a few people I'd like to direct to this
> thread. They are as harmless as I and probably better educated
> (31 and still haven't finished college and probably never will) and
> are more likely to be able to spot immediate flaws then I. Also,
> of note, I've read the works of Matt Gibson and think that he's
> taken an interest to this thread as well. Yes, I'm like that. Anyhow,
> I've done a small bit of playing over the past couple of hours while
> answering email and reading a few others and I don't see a way
> that this can actually execute anything.

Its in the public domain IF I can do that. Feel free. Have at it. Just
remember the first two links (the Error #1 and Error #2 would be
really confusing to anyone trying to figure those out and shouldn't
be worried about).

> Galen
> --
> Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.

I'm glad the title of the newsgroup message generated some
attention. 

--
Jim Carlock
Please post replies to newsgroup.