[ SOURCE: http://www.secureroot.com/security/advisories/9734901602.html ]

The following security vulnerability has been found in 

Microsoft Internet Explorer version 5.5

When "
" (an undisplayable character, which is 

eaqual to the 1st caharacter in ASCII table - after the 

0th...) inserted in some strategic position in 

Javascript code ,it is possible to access to local files 

or to the IFRAMES DOM, cookies from other 

domains etc...



The "
" character also can be replaced by &#01...



The original "%01" bug was found by Georgi Guninski 

in various versions of IE and was patched later...

IE5.5 seemed that it is immune to the aforementioned 

bug...

But when the transformation done, it reveals 

important information...



There is another strange behaviour of IE that I came 

across:

When "%01" inserted in a script IE never loads the 

page fully, it does not display error message in most 

cases either.It seems that it is in an infinite loop 

between the task "Load the page" and "Don't load the 

page if it contains 'somewhere' '%01'..." This inspired 

me that '%01' has still a special meaning to the 

newest version of IE.... 



There are many CODES that can be applied... you 

can see them at http://horoznet.com/AlpSinan



Just one of them: this code will access Cookies of 

any domain....

(before testing this code replace  ! with i in the script 

tag)

<OBJECT

   classid="clsid:AE24FDAE-03C6-11D1-8B76-

0080C744F389" width="1024" height="500">

<PARAM NAME="URL" value="about:<iframe id=box 

src='http://lc2.law5.hotmail.passport.com/cgi-

bin/login' width='800' ></iframe><scr!pt>setTimeout

('alert(\'your cookie from hotmail 

\'+box.document.cookie)',10000) </scr!

pt>
http://lc2.law5.hotmail.passport.com/cgi-

bin/login">

</OBJECT>



"I in formed MICROSOFT security team via email but 

until now no feedback appeared"



Demonstration can be found at 

http://horoznet/AlpSinan



Alp Sinan