[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: File extensions spoofable in MSIE download dialog
From:       "'StatiC'" <static () tampabay ! rr ! com>
Date:       2001-11-29 18:49:12
[Download RAW message or body]

It appears only IE5.5 has this problem.  I just tested with IE5.0 sp2 and IE6 and \
both of those version prompt and wait for user intervention for readme.txt and then \
wait a second time while prompting to ask to open/saveas calc.exe.

IE5.5 will prompt the user for the initial readme.txt but the next open dialog that \
appears for the .exe goes through immediately without user intervention and executes.

I have tested 2 seperate IE5.5 systems(one was a new install with default IE5.5 sp2 \
settings) and they both execute the calc.exe file without giving the user a choice \
after the initial readme.txt dialog.

StatiC

On Thu, Nov 29, 2001 at 07:03:21PM +0100, chef wrote:
> -----Ursprüngliche Nachricht-----
> > Von: StatiC [mailto:static@tampabay.rr.com] 
> > Gesendet: Donnerstag, 29. November 2001 03:52
> > 
> > I was playing with apache configs a few months ago and 
> > noticed a similar issue with IE5.5.  The procodure below will 
> > cause IE5.5 to display the open dialog for readme.txt but 
> > once opened, it executes immediately on IE5.5 sp2 with no 
> > hint that it is really getting an executable file called 
> > calc.exe.  I only tested it with IE5.5.
> 
> I testet it right now, with IE6; Q312461 / WinXP and i think
> there is no problem at all.
> 
> First a question for text.txt pops up and when i say "open"
> a second message with question for save / open pops up.
> This second popup tells the right name "calc.exe" .
> Finally when i say "open" it opens the calculator.
> 
> For testing: http://www.geilerserver.de/text.txt
> 
> > Why does microsoft think it is wise to trust the filename in 
> > the url over what the header content-type is set to for 
> > display purposes since the content-type seems to take 
> > priority for what will really happen with the file.
> 
> I think that's only a Problem of older Versions.
> 
> ^cUbE^
> 


[prev in list] [next in list] [prev in thread] [next in thread]