playing for fun with <=IE7 Oct 12 2007 08:34PM
laurent gaffie gmail com (3 replies)
RE: playing for fun with <=IE7 Oct 15 2007 10:21PM
avivra (avivra gmail com)
RE: playing for fun with <=IE7 Oct 15 2007 07:39PM
James C. Slora Jr. (james slora phra com)
RE: playing for fun with <=IE7 Oct 13 2007 06:05PM
Roger A. Grimes (roger banneretcs com)
It is interesting. I've even confirmed the behavior with IE 7 in Vista.

Although the real concern is if it could be used in an exploitation?

The examples below aren't exploitable...just interesting outcomes.


*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes (at) infoworld (dot) com [email concealed] or roger (at) banneretcs (dot) com [email concealed]
*Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley)

-----Original Message-----
From: laurent.gaffie (at) gmail (dot) com [email concealed] [mailto:laurent.gaffie (at) gmail (dot) com [email concealed]]
Sent: Friday, October 12, 2007 4:34 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: playing for fun with <=IE7

playing for fun with <=IE7
Impact: who knows ...
Fix Available: no


1) Bug
2) Proof of concept

1) Bug
it's possible to bypass the extension filter of <=IE7 this can result by downloading
an arbitrary exe file

2)proof of concept
let's take this exemple :
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
... the .exe is showed.
now let's go a bit ahead :
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
etc ...
5) Conclusion
this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter)
i guess we can wonder what the heck.

regards laurent gaffié

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus