I reported this hole to Microsoft in March 2000. They finally got around to fixing it in May 2000, when someone else reported what essentially amounts to the same hole.

Note that even if you had an old vulnerable version, the URLs given in the message below won't work any more.

My original mail reporting this hole to Microsoft follows:

Date: Sun, 19 Mar 2000 17:43:14 -0700 (MST)
From: Marc Slemko <[email protected]>
To: [email protected]
Subject: IE cookie stealing bug

There appears to be a bug in IE5 that lets you steal a user's cookies for
any domain if you can convince them to load a given URL.  It may depend on
javascript (or other active scripting languages), but I'm not certain
about that.

The basic idea is that if you access a URL in the form:

	http://10.0.0.1%20.msn.com/foo.html

Then IE will load content from 10.0.0.1, but javascript running from
foo.html will have access to any .msn.com cookies since it thinks it is in
.msn.com.  Note that this doesn't appear to let you steal host specific
cookies.

This was tested using a version of IE on win95 that identifies itself
as:

	Version: 5.00.2919.6307

For an example, go to:

	http://alive.znep.com/~marcs/iedomain/site.html

And enter a hostname in the domain that you want to steal cookies
from (eg. foo.msn.com).  The page will then redirect you to a URL 
of the form:

	http://207.167.15.58%20foo.msn.com/~marcs/iedomain/grab.html

Where foo.msn.com is, of course, the domain entered in the first 
step.

This file contains javascript to send your cookies to printargs.cgi, which
just prints them out.  At the point, the cookies have been stolen.

There do appear to be some oddities that can crop up when trying to
exploit this, and I don't know if this is already fixed by a newer version
or not (although I don't recall seeing anything about this hole), and I
don't know what other consequences or ways to exploit it that there may be
here.

Let me know if you can't reproduce it or have any questions.