I've attached a new error.txt that, when renamed to error.jpg, gives me the following error: The XML page cannot be displayed Cannot view XML input using style sheet. Please correct the error and then click the Refresh button, or try again later. ------------------------------------------------------------------------ -------- An invalid character was found in text content. Error processing resource 'file:///C:/error.jpg'. This seems to indicate that the jpg is indeed being executed as XML. I can't figure out how to get rid of this 'invalid character', though. I don't have much XML experience, and I may be missing something simple. Also, this is on IE6 / WinXP Pro, both fully patched and supposedly not vulnerable to the sample exploit I pasted in for the body. I don't know if this has anything to do with the error I'm getting, though. I couldn't find a cut-and-paste pure XML example that would pop up a dialog box or some such, and changing the content after the first XML header line from the original error.txt still gives me this error. -----Original Message----- From: Ryan Goetzinger [mailto:rgoetzingerat_private] Sent: Thursday, July 11, 2002 4:22 PM To: Andreas Vogler Cc: vuln-devat_private Subject: RE: IE without Images When you remove the <?xml version="1.0" encoding="UTF-8"?> tag from the image, it loads properly. Actually, you can remove everything in the file past the XML declaration there, and it still causes IE to process indefinitely. It seems to me that IE is reading it as a .jpg, but then sees the XML tag, and assumes it's an XML file, then gets all sorts of confused. As to why it never seems to close the file, im not too sure there. It's most likely just another IE bug. Could this possibly lead to running XML from image files? Attached is error.txt, it is just a cut down version of error.jpg, with just the headers, and it still processes indefinitely on my IE. In actuality, it seems that "ÿØÿà" (that might not print right on some machines, without quotes) followed by an XML header is all that it needs. (IE 5.50.4134.0600 SP2) (Win2k SP2, semi-current on patches) Opera 6.01 on my machine is unaffected. Funniest thing happend after this, i saved the image to disk, and opened it in IE from there. Renamed it to a .tiff because the image has bell.tiff inside. Lo and behold, it becomes undeletable from explorer. Same thing goes for ".tif". Why Tif and Tiff, i dont know, other image extensions and garbage extensions delete fine... It seems that Explorer tries to preview the image, and because IE is integrated into Win2k, IE hangs trying to load the image, and keeps it open for a very long time. How exactly was this image made? It has Photoshop 7 in the file, with a date of 2002:07:10, which tells me it was made pretty recently. Yet when i attempt to make similar images in Photoshop, none of them contain that XML header. -Ryan Goetzinger PGP: DD42 133A 2EAE B584 AC8A F6EC EEE1 076B EF78 F669 -----Original Message----- From: Andreas Vogler [mailto:loreat_private] Sent: Thursday, July 11, 2002 4:52 AM To: vuln-devat_private Subject: IE without Images There is an jpg Picture which is 22k of size, when it is loaded via an IMG html tag, IE gets messed up, and will not show any other pictures , until you restart your IE. Mayby someone can tell whats the reason Here's the Example: http://animexx.4players.de/iebug/ See you
This archive was generated by hypermail 2b30 : Sat Aug 31 2002 - 19:12:22 PDT
