| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: Re: Yet another IE aperture i didn't notice you have disclosed this (or a very similar to it bug). besides me more than 5 people tested variations of the testcase and it worked for all of them. can you comment on this testcases: http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo2.html http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo.html redirect1.pl is hosted on apache and is: ----------------------- #!/usr/bin/perl print "Location: http://georgi.df.ru/xml2.xml\r\n\r\n"; ----------------------- note: if the xml is not well formed, parseError returns at least one line of it, not to mention other exploit scenarios. -- georgi On Sat, Oct 09, 2004 at 03:28:25AM +0200, GreyMagic Security wrote: > >Georgi Guninski security advisory #71, 2004 > >http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html > > .. snip .. > > >By opening html in IE it is possible to read at least well formed xml from > >arbitrary servers. The info then may be transmitted. > > GreyMagic disclosed the EXACT same issue on August 2002, over two years ago. > Microsoft, at the time, took over 6 months to resolve the issue (initially > reported to them on Feb 2002) and eventually released a patch (MS02-047). > > See http://www.greymagic.com/security/advisories/gm009-ie/ for more details > and a live PoC (it also shows a neat method to get partial content from > documents that aren't well-formed xml). > > That said, all our tests of this issue currently throw an "Access denied" > exception, as they properly should. However, these tests are performed in > the Internet Zone. Your tests might have been performed in another zone that > had "Access data sources across domains" set to "Enabled," which would > enable this vulnerability by design.
Powered by blists - more mailing lists