Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan


After playing around with various functions, it soon becomes obvious that SaveAsBMP and SaveAsWMF happily accept any path provided to save the generated graphic in the specified location. This can make it possible to overwrite existing files with the picture if the user running IE has sufficient access. This is a perfect example of a program using untrusted data and operating on it without any kind of checks. It is likely that the control's author did not consider the security implications of what they were doing.

A sample exploit for this vulnerability, written by shinnai, can be found on Milw0rm: http://www.milw0rm.com/exploits/4420.