Vulnerability
Internet Explorer
Affected
Mac OS with Internet Explorer 3.0
Description
Andrew McNaughton posted following. Microsoft Explorer version
3.0 PPC running on a mac is quite happy to write form output data
to a local file, possibly overwriting existing data.
You may overwrote your own form with <FORM ACTION = "">, entered
when you want to see the appearance of the form. Also, absolute
addressing is possible using file:// and this can be abused
through a remote form.
A Maliciously written Form might include the following:
<FORM ACTION="file:///Hard_Disk/Desktop%20Folder/Untitled.html" METHOD="POST">
<INPUT NAME="This could have overwritten anything!" TYPE=Hidden>
<Input Type=Submit>
</FORM>
The file Hard_Disk:Desktop Folder:Untitled.html gets written or
overwritten, and recieves the following contents:
This+could+have+overwritten+anything%21=
The potential for writing particular data to the file is limited
by the URL encoding of the Form Output, and such attacks are for
the most part going to be impossible. Damage to what is already
on the machine is more likely.
If however there is a convenient text encoded compression format
that is recognised by stuffit expander, then it might be possible
to get things excecuted by storing them in suitableform in the
startup items folder.
Solution
Nothing yet.
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.
