lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041219204706.18299.qmail@www.securityfocus.com>
Date: 19 Dec 2004 20:47:06 -0000
From: <cmthemc@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Re: Internet Explorer Code Execution Bypass Vulnerability


In-Reply-To: <20041217170337.26668.qmail@....securityfocus.com>

Hello,
  I'm a little bit confused as to why you would classify this as a "vulnerability" -- or even relate it to internet explorer at all... I think you have confused the simple html parsing of Active Desktop with microsoft internet explorer... however, what you have listed as an "avoid/overrun/bypass" to the "new protection(?)" on "IE (winxp sp2)", is neither an avoid, overrun, or bypass. When the html with js code is executed from within ie, sp2 still performs its magic. I'm afraid this was a weak attempt to get your name on the board.

-cmthemc

>
>Last week I discovered a vulnerability to avoid/overrun/bypass the new protection for Local JS Execution on IE (winxp sp2)
>
>--cut here--
>
>&lt;script&gt;
>window.alert("Example Exploit");
>&lt;/script&gt;
>
>--cut here--
>
>(Copy and paste into your Notepad and save it as EXAMPLE.HTM)
>
>If you open EXAMPLE.HTM, your IE blocks this code and shows a yellow bar over the webpag.
>
>But I discovered a vulnerability to allow Local JS Code to execute on IE, the exploit is:
>
>"Go to Control Panel / Display Config and set as the desktop background the example webpage (EXAMPLE.HTM), once this is done, the code will be executed without showing any warning in IE"
>
>----------------------
>
>My Webpag:  www.madantrax.cjb.net
>My ClanWeb: www.darknessteam.com
>ForumClan:  foro.darknessteam.com
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ