lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040711155500.14113.qmail@www.securityfocus.com>
Date: 11 Jul 2004 15:55:00 -0000
From: Paul <paul@...yhats.cjb.net>
To: bugtraq@...urityfocus.com
Subject: Media Preview Script Execution Vulnerability




Note: This vulnerability as well as several more can be found at http://www.geryhats.cjb.net

Media Preview Script Execution Vulnerability 

[Tested]
MSDXM.DLL file version 6.4.09.1128
Microsoft Windows 2000 

[Discussion]
By using the windows media player control, media can be played in a browser, including asx files, which is just a playlist of media. If one of these files on the list is a weird protocol like javascript:, it will be executed in the zone of the page that called it. At first, this seems to be a small problem. However, on windows 2000, media can be previewed on a panel to the left if the media file is in a local directory and the user clicks on it. The panel uses the windows media player control to preview the media. If a user clicks on a specially-crafted asx file, javascript will be executed in the local zone. 

The example is a vulnerable asx file which, when clicked in explorer, will display a messagebox wiith the location of the directory.

Note: The asx file must be opened in the media player control. It will not work if opened in windows media player itself.

[Example]
http://freehost07.websamba.com/greyhats/asxvuln.htm


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ