Page 1 of 1
notepad security vulnerability
Posted: Wed Oct 08, 2003 10:39 pm
by Red Squirrel
Yes, the title is right, a security vulnerability involving notepad. It's not directly in note pad, but in IE.
See this for example:
[dohtml]
<a href="view-source:http://www.iceteks.com">click here!</a>
[/dohtml]
Code:
<a href="view-source:http://www.iceteks.com">click here!</a>
That simple! This can be used to open a bunch of notepad windoes and create popups.
See this link for example:
http://members.cox.net/duno06/
more info:
http://www.computerbytesman.com/security/notepadpopups.htm
Archived topic from Iceteks, old topic ID:1427, old post ID:12270
notepad security vulnerability
Posted: Wed Oct 08, 2003 11:06 pm
by Chris Vogel
You can also use "view-source:URL" with Mozilla, but it won't work unless you type it in the address bar yourself.
IE...
Archived topic from Iceteks, old topic ID:1427, old post ID:12271
notepad security vulnerability
Posted: Thu Oct 09, 2003 9:33 am
by Red Squirrel
Yep, no kidding. Basiclaly, anything that is not IE is good.
You should get a popup on this post as well.
Archived topic from Iceteks, old topic ID:1427, old post ID:12275
notepad security vulnerability
Posted: Thu Oct 09, 2003 10:49 am
by manadren_it
Does everything microsoft have to have a big old gaping hole associated with it?
Archived topic from Iceteks, old topic ID:1427, old post ID:12277
notepad security vulnerability
Posted: Thu Oct 09, 2003 1:44 pm
by Wren
Maybe that's why the term Microshaft evolved!
Red, would you get rid of that dang popup?
Archived topic from Iceteks, old topic ID:1427, old post ID:12285
notepad security vulnerability
Posted: Thu Oct 09, 2003 2:10 pm
by wldkos
hahah its a pain in the neck just to post here.... Im on IE again and thnis stinks. I spent my website design class time trying to convince my teacher to use opera...
also, how is this a security threat? I see it more butt an oversight....
Archived topic from Iceteks, old topic ID:1427, old post ID:12286
notepad security vulnerability
Posted: Thu Oct 09, 2003 3:16 pm
by Red Squirrel
wldkos wrote: hahah its a pain in the neck just to post here.... Im on IE again and thnis stinks. I spent my website design class time trying to convince my teacher to use opera...
also, how is this a security threat? I see it more butt an oversight....
Playing with people's stupidity is one way... for example, it could go something like this:
[dohtml]
<center>
<font size="4" color="red"><b><u>Free free free!!!!</u></b>
Click <a href="view-source:c:windowswin.ini">here</a> or <a href="view-source:c:winntwin.ini">here</a> and clear the data that you see and win a free trip!!!</font>
</center>
[/dohtml]
(note: no one actually do this.
)
Could easly be used in an email if the person is using outlook or outlook express.
But it's the fact that it can open many files at once, causing instability problems (which is not too hard to start off with).
Archived topic from Iceteks, old topic ID:1427, old post ID:12289
notepad security vulnerability
Posted: Fri Oct 10, 2003 12:23 pm
by manadren_it
*cough* that's view-source:file://c:winntwin.ini
and besides, I don't think much would happen if you cleared that out. win.ini isn't really used much anymore, most of that crap was moved to the registry a long time ago.
And besides, microsoft probably sees this more as a feature than a giant gaping hole
Archived topic from Iceteks, old topic ID:1427, old post ID:12305
notepad security vulnerability
Posted: Fri Oct 10, 2003 1:50 pm
by wldkos
I dont see how that would do anything that you could benefit from... it would just open notepad on your machine...
BTW, Im using opera in school. I installed it on like every machine I sit at. And also the url that you put in here wouldn't be correct, since this is a unix host, so there is no win.ini, but say you put ?cat../../../../../etc/passwd
something along those lines would open up the passwd file for you and then fire up an Xterm.
Archived topic from Iceteks, old topic ID:1427, old post ID:12309
notepad security vulnerability
Posted: Fri Oct 10, 2003 2:58 pm
by Red Squirrel
Dosen't Linux have protection so other processes can't call a ../ path? Does this mean I can do this on my host and access unauthorized stuff that easly? Figured it was somehow impossible do do that.
Archived topic from Iceteks, old topic ID:1427, old post ID:12311
notepad security vulnerability
Posted: Fri Oct 10, 2003 8:00 pm
by manadren_it
If I remember correctly the passwd file doesn't actually contain a lot of information, all the reall stuff in in the shadow password file. besides, you can't really edit anything with the cat command anyway
Anyway, if you can access the passwd file that easily, most likely someone screwed up bug time.
Archived topic from Iceteks, old topic ID:1427, old post ID:12324
notepad security vulnerability
Posted: Fri Oct 10, 2003 8:50 pm
by Red Squirrel
And on top of it, it's encrypted anyway, right? I know for .htaccess authorization it's encrypted. I used to actually put the file in a folder and put a "deny from all" .htaccess in it and it would do the job.
Archived topic from Iceteks, old topic ID:1427, old post ID:12326
notepad security vulnerability
Posted: Sun Oct 12, 2003 12:10 pm
by wldkos
Well in my hacking exposed 2 book, they said that a while ago, people were using that "cat../../../../../etc/passwd thing to get alot of passwords and what not. Not that /etc/passwd listed the passes in clear text, but you could see the list of users and then get in that way. After that book was wrote... not too many pepople n *nix and *bsd systems make that mistake anymore.
Archived topic from Iceteks, old topic ID:1427, old post ID:12363
notepad security vulnerability
Posted: Sun Oct 12, 2003 12:43 pm
by Red Squirrel
Actually, there's a microsoft IIS exploit that works like that, but you can gain full access to cmd.exe (Nt dos prompt). I had at least one hit per day on my server but apache did not fall for it. if you try
http://www.iceteks.com/../ you get an error, that means apache makes sure that does not work. What's somewhat interesting is that if you type
http://www.iceteks.com/news/../ it brings you to the home page, which makes sense.
Archived topic from Iceteks, old topic ID:1427, old post ID:12365