Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
(MSIE)A rather old trick for web server is now played on MSIE.
Dec 26 2002 05:38AM
Liu Die Yu (liudieyuinchina yahoo com cn)
(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)
[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.s
wf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]
[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.
so the oldest XSS trick works on MSIE.
that's all.
[how]
(real show)
first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.
(very few steps)
[more?]
this trick may work on other browsers, but i can't test it at present.
[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)
[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.s
wf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]
[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.
so the oldest XSS trick works on MSIE.
that's all.
[how]
(real show)
first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.
(very few steps)
[more?]
this trick may work on other browsers, but i can't test it at present.
[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )
[ reply ]