BugTraq
Back to list
|
Post reply
(MSIE)A rather old trick for web server is now played on MSIE.
Dec 26 2002 05:38AM
Liu Die Yu (liudieyuinchina yahoo com cn)
(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)
[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.s
wf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]
[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.
so the oldest XSS trick works on MSIE.
that's all.
[how]
(real show)
first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.
(very few steps)
[more?]
this trick may work on other browsers, but i can't test it at present.
[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)
[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.s
wf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]
[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.
so the oldest XSS trick works on MSIE.
that's all.
[how]
(real show)
first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.
(very few steps)
[more?]
this trick may work on other browsers, but i can't test it at present.
[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )
[ reply ]