(MSIE)A rather old trick for web server is now played on MSIE.

From: Liu Die Yu (liudieyuinchinaat_private)
Date: Wed Dec 25 2002 - 21:38:39 PST

Next message: FORENSICS.ORG Security Coordinator: "Full Disclosure: Windows File Protection Arbitrary Certificate Chain Vulnerability"

Previous message: Martin Schulze: "[SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) (MSIE)A rather old trick for web server is now played on MSIE. ("that's all" is the end of file if you are in a hurry) [tested]MSIEv6(CN version) Patch: Q312461,Q328970(MS02-066) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000} [demo] at http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm or clik.to/liudieyu ==> viaSWFurl-MyPage section. or [code.url start] http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.swf? "><SCRIPT>alert(document.cookie)</SCRIPT> [code.url end] [exp] MSIE generates a page to load a multimedia file instead of loading it directly. the automatically generated page for loading an SWF(the extension of a flash file) file contains URL of the SWF file -- without any encoding. so the oldest XSS trick works on MSIE. that's all. [how] (real show) first, realize MS programmers are lazy(= "too busy") and they prefer to look wise, so you can doubt that they generate a page to load a multimedia file. then, check it: i played a small trick: typing javascript:alert(document.body.innerHTML) in the address field when the content of MSIE is a JPG file. soon after confirmation, try the trick and you'll find it doesn't work on a JPG file because the URL is encoded properly.(that programmer must have been fired for his defence) now you may lose self-confidence -- MS is not that foolish. but thinking about "document.open" hole(not "flaw") will encourage you. (the essential point!) then after several tries, you have this document. (very few steps) [more?] this trick may work on other browsers, but i can't test it at present. [BTW] (0)merry Christmas! (1)Greetings to "the Pull" (2)there are many demoz at http://www.safecenter.net (thanx to "Dror Shalev" for making them) (3)i'm busy with exams, hope you can understand and forgive my delay (the school is really crazy). i'll have a 30-day holiday. i think it's enough to make a site showing tricks i know, why they work,how to exploit them, and how people got the ideas. it's crosszone.org(not ready yet) (4)LOTUS: i am slow. [contact] clik.to/liudieyu ==> "How to contact Liu Die Yu" section (any postcard? :-) )

Next message: FORENSICS.ORG Security Coordinator: "Full Disclosure: Windows File Protection Arbitrary Certificate Chain Vulnerability"
Previous message: Martin Schulze: "[SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 26 2002 - 16:46:01 PST