lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <031301c39f72$ad49f820$0900000a@whitestar>
Date: Thu, 30 Oct 2003 21:48:17 -0800
From: "Gadi Evron" <ge@...tistical.reprehensible.net>
To: <bugtraq@...urityfocus.com>
Subject: IE bug: loading HTML under a graphic file name - summary


There have been several posts on the subject, starting with my post on
the new trojan horse exploiting this "bug" to load itself, and then
execute javascript code with one of the latest IE exploits allowing it
to over-write files.

Some guesses have been made, and although it is true that if the file
(name.jpg) was actually a directory (/name.jpg/) then an index file
might load, however it is not the case here. Let me surmise all that has
been said and explain the issue:

IE loads the file. When it doesn't receive the jpeg it expects it
believes it is a server error page, generated in HTML (404 - file not
found, in this case), and loads the HTML.

The bug is, as was also written in alt.comp.virus by Carol, is that IE
does not show this as an HTML file, and keep the cached file name, in
this case, britney.jpg. Thus creating the illusion this was a real file
- leaving the user completely unaware of what happened.

This is not a new "bug", but it is the first time in my knowledge (and
Carol's, who replied in alt.comp.virus to a rip of my original post to
this list), but it is the first time it has been used in this  malicious
way.

      Gadi Evron (i.e. ge),
      ge@...uxbox.org.

--------
gevron@...vision.net.il
PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ