[Reports] Internet Explorer arbitrary command execution (user interaction required)

26/09/2004 - 19:53 por a | Informe spam

Affected:
Windows XP (SP1)
Windows XP (SP2) - with limitations

Problem: The Internet Explorer "View...Source" feature, appears not to
use a fully specified path to notepad.exe.

If an attacker is able to convince the user to download (or otherwise
have) a file named notepad.bat / notepad.exe on their desktop, it will
be executed when clicking "View... Source" in Internet Explorer.

Additionally on Windows XP (pre SP2) the view source feature can be
run automatically on visiting a web page (in service pack 2 the view
source feature appears to have been removed, additionally the warning
toolbar is displayed).

<html>
<head>
<script language=JavaScript>
function viewsource() {
window.location = "view-source:" + window.location.href
}
</script>
</head>
<body onload="javascript:viewsource()">
<a href="javascript:viewsource()">View Source</a>
</body>
</html>

The problem of view source executing files on the desktop named
"notepad"
http://groups.google.com/groups?dq=...2msftngp13
appears to have been known about at least since December 2002.