Mac MSIE 3.0 file overwrite.

Andrew McNaughton (andrew@SQUIZ.CO.NZ)
Fri, 29 Aug 1997 10:54:43 +1200

I imagine this is probably already known? If so, could someone point me to
where I should have looked to check this.

Microsoft Explorer version 3.0 PPC running on a mac is quite happy to write
form output data to a local file, possibly overwriting existing data.

At first I thought this ability to write form output to a local file
(discovered through relative addressing and a local copy of a form) was
kind of useful. Then I overwrote my own form with <FORM ACTION = "">,
entered when I just wanted to see the appearance of the form. Then I found
that absolute addressing is possible using file:// and this can be abused
through a remote form.

A Maliciously written Form might include the following:

<FORM ACTION="file:///Hard_Disk/Desktop%20Folder/Untitled.html" METHOD="POST">
<INPUT NAME="This could have overwritten anything!" TYPE=Hidden>
<Input Type=Submit>
</FORM>

The file Hard_Disk:Desktop Folder:Untitled.html gets written or
overwritten, and recieves the following contents:

This+could+have+overwritten+anything%21=

The potential for writing particular data to the file is limited by the URL
encoding of the Form Output, and such attacks are for the most part going
to be impossible. Damage to what is already on the machine is more likely.

If however there is a convenient text encoded compression format that is
recognised by stuffit expander, then it might be possible to get things
excecuted by storing them in suitableform in the startup items folder.

Is this Mac Specific? Has it been fixed?

Andrew McNaughton

. . . . . . . . . . . . . . . .
Andrew McNaughton | I tried to make it idiot proof,
Andrew@squiz.co.nz | but they just developed a
http://www.squiz.co.nz | better idiot
http://www.newsroom.co.nz
. . . . . . . . . . . . . . . .