lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200306232039.h5NKdIo4015103@linus.mitre.org>
Date: Mon, 23 Jun 2003 16:39:18 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE)



Matt Moore said:

>I also reported this to Microsoft - sometime around May or June
>2002...  I copied Steve Christey at Mitre on a couple of the emails

I can confirm that on July 19, 2002, Matt CC'ed me on an email to the
Microsoft Security Response Center in which Matt asked about when his
reported issue would be fixed.  Included in that email was a trail of
other messages dating back to his original notification of June 25,
2002, with a subject of "Potential Cross Site Scripting Flaw in
Internet Explorer XML Parser".

Matt's original email includes the following:

  ... it's possible to perform XSS attacks against IE clients of a web
  server that has a malformed XML document residing on it.

  ... The XML parser in IE should sanitise any resource names it
  includes in it's error messages. It appears that various [sic] of
  the IE XML parser error pages are vulnerable to this.

>this may already have a CAN entry.

For disclosures in which the vendor actively uses CVE identifiers,
such as Microsoft, our general approach is to encourage the researcher
to obtain a CVE name through the vendor.  This reduces the risk of
accidental duplication and errors in assigning CVE names, e.g. if
multiple researchers find the same issue, or if researchers find the
"symptoms" of a larger problem.

We do follow the "30-day" disclosure guideline and provide a CAN to
the researcher if they want to publicize an issue after 30 days, but
in this case Matt did not release, so a CAN was not assigned until
this issue was publicized by GreyMagic (CAN-2003-0446).


Steve Christey
CVE Editor


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ