lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 26 Oct 2003 04:57:31 -0000 From: Mohsen Hariri <mohsen_hariri@...oo.com> To: bugtraq@...urityfocus.com Subject: Re: Internet Explorer and Opera local zone restriction bypass In-Reply-To: <20031024135303.26267.qmail@...uxmail.org> It worked for me- IE6 on XP-SP1. but it seems to be a Flash Player MX plugin bug than IE bug, cause it stores cookies( flash documents call it SharedObject) on disk, in a fixed location. bye >Subject: Internet Explorer and Opera local zone restriction bypass > >Internet Explorer and Opera local zone restriction bypass. >=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= > >---------------------- >Vendor Information: >---------------------- > >Homepage : http://www.microsoft.com >Vendor : informed >Mailed advisory: 23/10/03 >Vender Response : None yet > > >---------------------- >Affected Versions: >---------------------- > >All version of IE 6 >Possibly 5.x too > > >---------------------- >Description: >---------------------- > >Microsoft Internet Explorer does not allow local file access by a remote host by default. >By creating an iframe which points on a specially crafted cgi script (using the location header >to confuse IE), it is possible to cause IE to execute any local file through the iframe with local >zone restrictions. This then allows remote arbitrary file execution on the victim without having >the victim do a thing except load the page. >Opera seems to not only be affected by this vulnerability, but it also allows direct >local file access through iframes without any cgi scripts. Unlike IE where it is possible >to set activex objects to execute arbitrary files, in Opera it is not. There may be a way, >but I am currently not aware of any. > > >---------------------- >Exploit: >---------------------- > >I have created a proof of concept page, but I did not show or explain how the cgi scripts >nor the flash file work exactly to prevent kiddie abuse. > >For IE: http://www.mlsecurity.com/ie/ie.htm > >For Opera: <iframe name="abc" src="file:///C:/"></iframe> > >---------------------- >Solution: >---------------------- > >Check Microsoft's website frequently until a new patch comes out. > >---------------------- >Contact: >---------------------- > >- Mindwarper >- mindwarper@...uxmail.org >- http://mlsecurity.com > >-- >______________________________________________ >Check out the latest SMS services @ http://www.linuxmail.org >This allows you to send and receive SMS through your mailbox. > > >Powered by Outblaze >
Powered by blists - more mailing lists