lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: ZDnet forum: IE formatting local drive

It's a copy of the advisory from Sandblad, with a few bits changed.

http://online.securityfocus.com/archive/1/298924/2002-11-02/2002-11-08/1

http://online.securityfocus.com/archive/1/299094/2002-11-02/2002-11-08/1
http://online.securityfocus.com/archive/1/299330/2002-11-09/2002-11-15/1
http://online.securityfocus.com/archive/1/299230/2002-11-09/2002-11-15/1

Why is this even surprising people? For ages, you have been able to plant a
file on the users machine, locate its location, jump to a local security
zone and then execute the file. Sure, you skip 2 steps by using the HTMLHelp
Control, but the impact is the same - running arbitrary code.


Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

----- Original Message -----
From: "Alan Rouse" <ARouse@...b.com>
To: <Full-Disclosure@...ts.netsys.com>
Sent: Monday, November 11, 2002 7:29 PM
Subject: [Full-Disclosure] ZDnet forum: IE formatting local drive


> Format a local drive by visiting a URL from a fully patched Windows / IE
> platform.  This appeared last night:
>
> http://forums.zdnet.com/group/zd.Security.Virus.Alerts/community/communi
> ty.tpt/@...ead@...85@F@1@D-,D@.../@...icle@...k@...85?EXP=ALL&VWM=&ROS=&
> OC=75
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists