[<prev] [next>] [day] [month] [year] [list]
Message-ID: <031301c39f72$ad49f820$0900000a@whitestar>
Date: Thu, 30 Oct 2003 21:48:17 -0800
From: "Gadi Evron" <ge@...tistical.reprehensible.net>
To: <bugtraq@...urityfocus.com>
Subject: IE bug: loading HTML under a graphic file name - summary
There have been several posts on the subject, starting with my post on
the new trojan horse exploiting this "bug" to load itself, and then
execute javascript code with one of the latest IE exploits allowing it
to over-write files.
Some guesses have been made, and although it is true that if the file
(name.jpg) was actually a directory (/name.jpg/) then an index file
might load, however it is not the case here. Let me surmise all that has
been said and explain the issue:
IE loads the file. When it doesn't receive the jpeg it expects it
believes it is a server error page, generated in HTML (404 - file not
found, in this case), and loads the HTML.
The bug is, as was also written in alt.comp.virus by Carol, is that IE
does not show this as an HTML file, and keep the cached file name, in
this case, britney.jpg. Thus creating the illusion this was a real file
- leaving the user completely unaware of what happened.
This is not a new "bug", but it is the first time in my knowledge (and
Carol's, who replied in alt.comp.virus to a rip of my original post to
this list), but it is the first time it has been used in this malicious
way.
Gadi Evron (i.e. ge),
ge@...uxbox.org.
--------
gevron@...vision.net.il
PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
Powered by blists - more mailing lists