notepad security vulnerability

Red Squirrel · Post by **Red Squirrel** » Wed Oct 08, 2003 10:39 pm

Yes, the title is right, a security vulnerability involving notepad. It's not directly in note pad, but in IE.

See this for example:

[dohtml]

<a href="view-source:http://www.iceteks.com">click here!</a>

[/dohtml]

Code:

<a href="view-source:http://www.iceteks.com">click here!</a>

That simple! This can be used to open a bunch of notepad windoes and create popups.

See this link for example:
http://members.cox.net/duno06/

more info:
http://www.computerbytesman.com/security/notepadpopups.htm

Archived topic from Iceteks, old topic ID:1427, old post ID:12270

Chris Vogel · Post by **Chris Vogel** » Wed Oct 08, 2003 11:06 pm

You can also use "view-source:URL" with Mozilla, but it won't work unless you type it in the address bar yourself.

IE...

Archived topic from Iceteks, old topic ID:1427, old post ID:12271

Red Squirrel · Post by **Red Squirrel** » Thu Oct 09, 2003 9:33 am

Yep, no kidding. Basiclaly, anything that is not IE is good.

You should get a popup on this post as well.

Archived topic from Iceteks, old topic ID:1427, old post ID:12275

manadren_it · Post by **manadren_it** » Thu Oct 09, 2003 10:49 am

Does everything microsoft have to have a big old gaping hole associated with it?

Archived topic from Iceteks, old topic ID:1427, old post ID:12277

Wren · Post by **Wren** » Thu Oct 09, 2003 1:44 pm

Maybe that's why the term Microshaft evolved!

Red, would you get rid of that dang popup?

Archived topic from Iceteks, old topic ID:1427, old post ID:12285

wldkos · Post by **wldkos** » Thu Oct 09, 2003 2:10 pm

hahah its a pain in the neck just to post here.... Im on IE again and thnis stinks. I spent my website design class time trying to convince my teacher to use opera...

also, how is this a security threat? I see it more butt an oversight....

Archived topic from Iceteks, old topic ID:1427, old post ID:12286

Red Squirrel · Post by **Red Squirrel** » Thu Oct 09, 2003 3:16 pm

wldkos wrote: hahah its a pain in the neck just to post here.... Im on IE again and thnis stinks. I spent my website design class time trying to convince my teacher to use opera...

also, how is this a security threat? I see it more butt an oversight....

Playing with people's stupidity is one way... for example, it could go something like this:

[dohtml]
<center>
Free free free!!!!

Click <a href="view-source:c:windowswin.ini">here</a> or <a href="view-source:c:winntwin.ini">here</a> and clear the data that you see and win a free trip!!!
</center>
[/dohtml]
(note: no one actually do this.

)

Could easly be used in an email if the person is using outlook or outlook express.

But it's the fact that it can open many files at once, causing instability problems (which is not too hard to start off with).

Archived topic from Iceteks, old topic ID:1427, old post ID:12289

manadren_it · Post by **manadren_it** » Fri Oct 10, 2003 12:23 pm

*cough* that's view-source:file://c:winntwin.ini

and besides, I don't think much would happen if you cleared that out. win.ini isn't really used much anymore, most of that crap was moved to the registry a long time ago.

And besides, microsoft probably sees this more as a feature than a giant gaping hole

Archived topic from Iceteks, old topic ID:1427, old post ID:12305

wldkos · Post by **wldkos** » Fri Oct 10, 2003 1:50 pm

I dont see how that would do anything that you could benefit from... it would just open notepad on your machine...

BTW, Im using opera in school. I installed it on like every machine I sit at. And also the url that you put in here wouldn't be correct, since this is a unix host, so there is no win.ini, but say you put ?cat../../../../../etc/passwd

something along those lines would open up the passwd file for you and then fire up an Xterm.

Archived topic from Iceteks, old topic ID:1427, old post ID:12309

Red Squirrel · Post by **Red Squirrel** » Fri Oct 10, 2003 2:58 pm

Dosen't Linux have protection so other processes can't call a ../ path? Does this mean I can do this on my host and access unauthorized stuff that easly? Figured it was somehow impossible do do that.

Archived topic from Iceteks, old topic ID:1427, old post ID:12311

manadren_it · Post by **manadren_it** » Fri Oct 10, 2003 8:00 pm

If I remember correctly the passwd file doesn't actually contain a lot of information, all the reall stuff in in the shadow password file. besides, you can't really edit anything with the cat command anyway

Anyway, if you can access the passwd file that easily, most likely someone screwed up bug time.

Archived topic from Iceteks, old topic ID:1427, old post ID:12324

Red Squirrel · Post by **Red Squirrel** » Fri Oct 10, 2003 8:50 pm

And on top of it, it's encrypted anyway, right? I know for .htaccess authorization it's encrypted. I used to actually put the file in a folder and put a "deny from all" .htaccess in it and it would do the job.

Archived topic from Iceteks, old topic ID:1427, old post ID:12326

wldkos · Post by **wldkos** » Sun Oct 12, 2003 12:10 pm

Well in my hacking exposed 2 book, they said that a while ago, people were using that "cat../../../../../etc/passwd thing to get alot of passwords and what not. Not that /etc/passwd listed the passes in clear text, but you could see the list of users and then get in that way. After that book was wrote... not too many pepople n *nix and *bsd systems make that mistake anymore.

Archived topic from Iceteks, old topic ID:1427, old post ID:12363

Red Squirrel · Post by **Red Squirrel** » Sun Oct 12, 2003 12:43 pm

Actually, there's a microsoft IIS exploit that works like that, but you can gain full access to cmd.exe (Nt dos prompt). I had at least one hit per day on my server but apache did not fall for it. if you try http://www.iceteks.com/../ you get an error, that means apache makes sure that does not work. What's somewhat interesting is that if you type http://www.iceteks.com/news/../ it brings you to the home page, which makes sense.

Archived topic from Iceteks, old topic ID:1427, old post ID:12365