[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft Internet Explorer 5.5 ASCI equivalent of "%01"

Title: Microsoft Internet Explorer 5.5 ASCI equivalent of "%01"
Released by: Alp Sinan
Date: 6th October 2000
Printable version: Click here
The following security vulnerability has been found in 

Microsoft Internet Explorer version 5.5

When "" (an undisplayable character, which is 

eaqual to the 1st caharacter in ASCII table - after the 

0th...) inserted in some strategic position in 

Javascript code ,it is possible to access to local files 

or to the IFRAMES DOM, cookies from other 

domains etc...

The "" character also can be replaced by ...

The original "%01" bug was found by Georgi Guninski 

in various versions of IE and was patched later...

IE5.5 seemed that it is immune to the aforementioned 


But when the transformation done, it reveals 

important information...

There is another strange behaviour of IE that I came 


When "%01" inserted in a script IE never loads the 

page fully, it does not display error message in most 

cases either.It seems that it is in an infinite loop 

between the task "Load the page" and "Don't load the 

page if it contains 'somewhere' '%01'..." This inspired 

me that '%01' has still a special meaning to the 

newest version of IE.... 

There are many CODES that can be applied... you 

can see them at http://horoznet.com/AlpSinan

Just one of them: this code will access Cookies of 

any domain....

(before testing this code replace  ! with i in the script 



bin/login' width='800' >setTimeout

('alert(\'your cookie from hotmail 

\'+box.document.cookie)',10000) http://lc2.law5.hotmail.passport.com/cgi-


"I in formed MICROSOFT security team via email but 

until now no feedback appeared"

Demonstration can be found at 


Alp Sinan

(C) 1999-2000 All rights reserved.