QwikSec

Security Database

CVE

CWE

Training

CVE-2006-3281

Published: Jun 28, 2006

Modified: Aug 7, 2024

PUBLISHED

Description

Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

20060627 IE_ONE_MINOR_ONE_MAJOR

mailing-list

x_refsource_FULLDISC

third-party-advisory

x_refsource_SECUNIA

third-party-advisory

x_refsource_CERT-VN

vdb-entry

x_refsource_BID

vdb-entry

x_refsource_SECTRACK

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj

x_refsource_MISC

third-party-advisory

x_refsource_CERT

oval:org.mitre.oval:def:318

vdb-entry

signature

x_refsource_OVAL

vendor-advisory

x_refsource_MS

ie-hta-fileshare-command-execution(27456)

vdb-entry

x_refsource_XF

vdb-entry

x_refsource_VUPEN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.