[VulnWatch] FW: failure notice

From: Ken Pfeil (Ken@private)
Date: Tue Mar 28 2006 - 14:12:18 PST

Previous message: Steve Manzuik: "[VulnWatch] EEYE: Temporary workaround for IE createTextRange vulnerability"
Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: [VulnWatch] FW: failure notice"
Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: [VulnWatch] FW: failure notice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just in case anyone uses IE with Sharepoint.. Boom.

----- Forwarded message from secure@private -----
    Date: Tue, 28 Mar 2006 11:47:12 -0800
    From: Microsoft Security Response Center <secure@private>
Reply-To: Microsoft Security Response Center <secure@private>
 Subject: RE: Another Attack Vector
      To: Ken@private

Hi Ken,

Thanks for getting back to me. I will pass your comments on to the case
manager handling this behavior with the SharePoint team.

Thanks,
Christopher, CISSP

-----Original Message-----
From: Ken@private [mailto:Ken@private]
Sent: Tuesday 28 March 2006 11:42
To: Microsoft Security Response Center
Subject: RE: Another Attack Vector

Thank you Christopher,

But there are a bazillion different scenarios where this could be
slightly more than detrimental. There are literally hundreds of sites
using Sharepoint for blogs, and anonymous access is an option turned on
by default. For a real working example, please open the file
IE_Exploit.txt on the below site and watch filemon dance a jig..

Best,
Ken


Quoting Microsoft Security Response Center <secure@private>:

> Hi Ken,
>
> Thanks for your note. This is by-design behavior with SharePoint and
> Internet Explorer and, as you mentioned, is related to IE MIME type
> detection. The mitigating circumstance in this scenario is that
> SharePoint sites are authenticated and it would be possible to "audit
> and punish" the attacker. Just the same, I'll pass this on to the case

> manager for this investigation.
>
> Thanks,
> Christopher, CISSP
>
> -----Original Message-----
> From: Ken@private [mailto:Ken@private]
> Sent: Tuesday 28 March 2006 09:16
> To: Microsoft Security Response Center
> Subject: Another Attack Vector
>
> There is yet another attack vector for createTextRange() (besides
> untrusted websites). Windows Sharepoint. If you create a txt file with

> html tags and post it, say in "Shared Documents", IE will render it as

> HTML in the browser when the document is clicked on instead of
> displaying as text. Example:
> https://foo.org/Shared%20Documents/test2.txt (code is
> simple html here, but could have been dangerous). You might want to
> update your advisory to include this.
>
> (And, I know you can de-select "Open Files Based on Content, not file
> extension" under IE, but that opens your host to *other*
> vulnerabilites.)
>
> Username for the system above for a sample doc is:
> testuser with password of password.
>
> Best,
> Ken
>
>





----- End forwarded message -----

Previous message: Steve Manzuik: "[VulnWatch] EEYE: Temporary workaround for IE createTextRange vulnerability"
Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: [VulnWatch] FW: failure notice"
Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: [VulnWatch] FW: failure notice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Mar 28 2006 - 14:39:13 PST