Vanja Hrustic wrote: > > This has been mentioned before, but it's probably good to remind > Microsoft about some outstanding issues. > > Request : http://www.microsoft.com/anything.ida > Response: The IDQ file d:\http\anything.ida could not be found. > > Request : http://www.microsoft.com/anything.idq > Response: The IDQ file d:\http\anything.idq could not be found. > > Microsoft is running IIS5 > > The same problem still exists on IIS4 (tested with SP5 - didn't try on > SP6). > > It's not really a big deal, but they should fix it. > This leads to a client side problem also. The problem is IIS does not escape the response, so one may put some HTML and javascript in the page returned from www.microsoft.com. Vulnerabilities: 1) For IE (tested on 5.01, probably other versions) - if the user has put www.microsoft.com in the Trusted sites security zone, then hostile javascript and ActiveX may be executed in the Trusted sites security zone. 2) It is possible to spoof www.microsoft.com by just clicking on a link. There are probably other vulnerabilities. Demonstration - click on the links, may also be invoked by javascript: For IE: http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location:"+window.location))%3E.ida (I am surprised <IMG SRC="javascript:code"> does not work in IE, one need to reload the page in order to make it executed) For Communicator: http://www.microsoft.com/%3CIMG%20SRC=javascript:alert("window.location:"+window.location)%3E.ida Regards, Georgi Guninski http://www.nat.bg/~joro
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:56 PDT