Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Salman Siddiqui (bugtraqSALMAN.CA)
Date: Sat Apr 07 2001 - 19:38:17 CDT
Apologies for a truncated response earlier.
Tried it on NT4 SP6a IE 5.5 and on Win ME IE 5.5 - both worked but returned
Environment variable from LOCAL MACHINE not the web server.
Apparently the local command parsing engine is responsible for expansion of
variable names prior to passing the command line off to Internet Explorer.
Verified from Web server logs that the command received was in fact expanded
results of the environment variables.
Its probably possible to rig up error messages and get visitors to click a
url to reveal information about visitors system to the web server.
Scenario; a malicious web site operator entices a user to click url
http://www.home.com/%computername% and modifies the 404 standard response
from the web server, to obtain further information. Probably a user name can
also be extracted using this method.
RIP is irrelevant. Spoofing is futile. Your routes will be aggregated.
> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
> Edwin Concepcion
> Sent: Saturday, April 07, 2001 11:54 AM
> To: VULN-DEVSECURITYFOCUS.COM
> Subject: Re: Possible IE5.0 exposure of local environment variables
> At 01:11 PM 4/6/01 -0400, you wrote:
> Also tested on NT Workstation 4.0 SP6a, using Ie 5.50.4522.1800 SP1
> and the url looks like http://www.home.com/DEFAULT (default =
> This can be used to get information of the system ( the %variables%) by a
> malicious script.
> This also work with http://www.home.com/%SystemRoot% and
> This can also be used by microsoft to get information about our sysytems.
> Edwin Concepcion Cordero
> # got root?