https://cxsecurity.com/issue/WLB-2007100041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-036

MicrosoftInternetExplorer是一款流行的WEB浏览器。MicrosoftInternetExplorer没有正确处理包含部分字符的URL，远程攻击者可以利用这个漏洞绕过XPSP2的文件下载警告消息而直接下载保存文件。远程用户可以建立一个定制的HTTP404错误消息，并传递这个消息到execCommand’SaveAs’方法来绕过’文件下载’和’文件打开’的安全警告，攻击者可以下载任意文件到目标用户系统而对用户没有警告信息提示。

playing for fun with <=IE7

Impact: who knows ...

Fix Available: no

-------------------------------------------------------

1) Bug

2) Proof of concept

3)Conclusion

======

1) Bug

======

it's possible to bypass the extension filter of <=IE7 this can result by
downloading

an arbitrary exe file

=====

2)proof of concept

=====

let's take this exemple :

http://dams083.free.fr/tmp/putty.exe

this is simply putty .

you click on this and then you will be prompted for downloading the file.

but what about if we do :

http://dams083.free.fr/tmp/putty.exe?1.txt

... the .exe is showed.

now let's go a bit ahead :

http://dams083.free.fr/tmp/putty.exe?1.cda

wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).

works with theses extension :

.log

.dif

.sol

.htt

.itpc

.itms

.dvr-ms

.dib

.asf

.tif

etc ...

=====

5) Conclusion

=====

this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then
bypass the filter)

i guess we can wonder what the heck.

regards laurent gaffi

来源:US-CERTVulnerabilityNote:VU#743974
名称:VU#743974
链接:http://www.kb.cert.org/vuls/id/743974
来源:XF
名称:ie-execommand-warning-bypass(18181)
链接:http://xforce.iss.net/xforce/xfdb/18181
来源:BID
名称:11686
链接:http://www.securityfocus.com/bid/11686
来源:www.frsirt.com
链接:http://www.frsirt.com/exploits/20041119.IESP2Unpatched.php
来源:SECUNIA
名称:13203
链接:http://secunia.com/advisories/13203/
来源:BUGTRAQ
名称:20041119MicrosoftInternetExplorer6SP2Vulnerabilities/FulldisclosureVs.SecuritybyObscurity…
链接:http://archives.neohapsis.com/archives/bugtraq/2004-11/0260.html
来源:SREASON
名称:3220
链接:http://securityreason.com/securityalert/3220