COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.5

PROBLEM

    Alp Sinan found following.   The following security  vulnerability
    has been found in Microsoft Internet Explorer version 5.5 When "
"
    (an undisplayable character, which is eaqual to the 1st caharacter
    in ASCII  table -  after the  0th...) inserted  in some  strategic
    position in  Javascript code,  it is  possible to  access to local
    files or to the IFRAMES DOM, cookies from other domains etc...

    The "
" character also can be replaced by 
...

    The original  "%01" bug  was found  by Georgi  Guninski in various
    versions of IE and was patched  later...  IE5.5 seemed that it  is
    immune to the aforementioned  bug...  But when  the transformation
    done, it reveals important information...

    There is  another strange  behaviour of  IE that  Alp came across:
    When "%01" inserted in a script IE never loads the page fully,  it
    does not  display error  message in  most cases  either.  It seems
    that it is in  an infinite loop between  the task "Load the  page"
    and  "Don't  load  the  page  if it contains 'somewhere' '%01'..."
    This inspired Alp that  '%01' has  still a  special meaning to the
    newest version of IE....

    There are many CODES that can be applied... you can see them at

        http://horoznet.com/AlpSinan

    Just one of them: this code will access Cookies of any domain....

        <OBJECT classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389" width="1024" height="500">
        <PARAM NAME="URL" value="about:<iframe id=box src='http://lc2.law5.hotmail.passport.com/cgi-bin/login' width='800' ></iframe><script>setTimeout('alert(\'your cookie from hotmail \'+box.document.cookie)',10000) </script>
http://lc2.law5.hotmail.passport.com/cgi-bin/login">
        </OBJECT>

SOLUTION

    Nothing yet.