Hello out there, At 11:10 13.01.00 , Georgi Guninski wrote: >This leads to a client side problem also. >The problem is IIS does not escape the response, so one may put some >HTML and javascript in the page returned from www.microsoft.com. >Vulnerabilities: >1) For IE (tested on 5.01, probably other versions) - if the user has >put www.microsoft.com in the Trusted sites security zone, then hostile >javascript and ActiveX may be executed in the Trusted sites security >zone. even if You mind to see <anyhost>.microsoft.com as a trusted site - it also works with the update host where You need more rights to use it :-( http://windowsupdate.microsoft.com/%3CIMG%20SRC=javascript:alert("Insecurity starts here!\nwindow.location:"+window.location)%3E.ida [URL probably wrapped] this also works with IE (5.0 DE) and IMG SRC - I do not have to reload the page (I guess it's because of the last IE Bug Georgi found - IE starts it in the security context of the previuosly used page - when pasting the URL in the location field it does not start when the previous URL was not able to execute JS) more over: the <P>-URL puts up the dialog again immediately after closing the box, so that You have to kill IE... http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location :"+window.location))%3E.ida [URL probably wrapped] have secure fun, Shalom dann, NOrbert -- Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/ Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417 Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:32 PDT