Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug

[the Pull <osioniusx () yahoo com>]

Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: December 19, 2001
Severity: High
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461; Q240308;
Q313675




Discussion: By simply using the document.open method
and not using the document.close method you are able
to: steal cookies; read local files that are parsable
by IE(mime type text/html to be exact); and spoof
sites.

Exploits: http://www.osioniusx.com

"cookieStealing.html" - This opens Yahoo.com and
steals the cookie.
"FileReading.html" - This opens up C:\test.txt and
then reads it.
"SiteSpoofing.html" - This spoofs www.chase.com  --
chase.com is in the url, the title, and there is a
link on the page to log on to your account which comes
back to www.osioniusx.com.


Potential Solution: Fix required on document.open
method.

Vendor Status: Emailed to "Secure () microsoft com". 


 

 


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com