COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    Mac OS with Internet Explorer 3.0

PROBLEM

    Andrew McNaughton  posted following.   Microsoft Explorer  version
    3.0 PPC running on a mac is quite happy to write form output  data
    to a local file, possibly overwriting existing data.

    You may overwrote your own  form with <FORM ACTION =  "">, entered
    when you  want to see the appearance of the form.  Also,  absolute
    addressing  is  possible  using  file://  and  this  can be abused
    through a remote form.

    A Maliciously written Form might include the following:

    <FORM ACTION="file:///Hard_Disk/Desktop%20Folder/Untitled.html" METHOD="POST">
    <INPUT NAME="This could have overwritten anything!" TYPE=Hidden>
    <Input Type=Submit>
    </FORM>

    The file  Hard_Disk:Desktop Folder:Untitled.html  gets written  or
    overwritten, and recieves the following contents:

    This+could+have+overwritten+anything%21=

    The potential for writing particular  data to the file is  limited
    by the URL encoding of the  Form Output, and such attacks are  for
    the most part going to be  impossible.  Damage to what is  already
    on the machine is more likely.

    If however there is  a convenient text encoded  compression format
    that is recognised by stuffit expander, then it might be  possible
    to get  things excecuted  by storing  them in  suitableform in the
    startup items folder.

SOLUTION

    Nothing yet.