Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Vista
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
playing for fun with <=IE7
Oct 12 2007 08:34PM
laurent gaffie gmail com
(3 replies)
playing for fun with <=IE7
Impact: who knows ...
Fix Available: no
-------------------------------------------------------
1) Bug
2) Proof of concept
3)Conclusion
======
1) Bug
======
it's possible to bypass the extension filter of <=IE7 this can result by downloading
an arbitrary exe file
=====
2)proof of concept
=====
let's take this exemple :
http://dams083.free.fr/tmp/putty.exe
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
... the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
.itpc
.itms
.dvr-ms
.dib
.asf
.tif
etc ...
=====
5) Conclusion
=====
this is very funny , because actually it only works for .exe extensions.
.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter)
i guess we can wonder what the heck.
regards laurent gaffié
[ reply ]
RE: playing for fun with <=IE7
Oct 15 2007 10:21PM
avivra (avivra gmail com)
RE: playing for fun with <=IE7
Oct 15 2007 07:39PM
James C. Slora Jr. (james slora phra com)
RE: playing for fun with <=IE7
Oct 13 2007 06:05PM
Roger A. Grimes (roger banneretcs com)
Privacy Statement
Copyright 2008, SecurityFocus
Impact: who knows ...
Fix Available: no
-------------------------------------------------------
1) Bug
2) Proof of concept
3)Conclusion
======
1) Bug
======
it's possible to bypass the extension filter of <=IE7 this can result by downloading
an arbitrary exe file
=====
2)proof of concept
=====
let's take this exemple :
http://dams083.free.fr/tmp/putty.exe
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
... the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
.itpc
.itms
.dvr-ms
.dib
.asf
.tif
etc ...
=====
5) Conclusion
=====
this is very funny , because actually it only works for .exe extensions.
.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter)
i guess we can wonder what the heck.
regards laurent gaffié
[ reply ]