| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jan 2011 23:22:08 +1100 From: laurent gaffie <laurent.gaffie@...il.com> To: IEhrepus <5up3rh3i@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: www.google.com xss vulnerability Using mhtml Not a google vuln. Hunt down MSFT to pay for your bug. Oh wait they dont pay for free research.. 0noz, you wont get any candy ! 2011/1/27, IEhrepus <5up3rh3i@...il.com>: > Security is a general,Many security issues are composed of many > different vulnerabilities of different factory. > > like " mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx " this vul > > ---------------------------------------------------------------- > so we come back this vul need two Conditions > 1.www.google.com app don't filter the CRLF > 2.IE support mhtml protocol handler to render the mhtml file format, > and this is the why mhtml: is designed > -------------------------------------------------------------- > > Both are indispensable. so google's vul is that don't take into > account the security implications using mhtml, > > the MS vul is that "it does not honor Content-Type and related headers > (or even "nosniff")." like MZ saiy > > GG and MS ,both are vul... > > in addition, if MS saiy this is mhtml: 's original function, So google > is very dangerous to the user who using IE > > Even if MS fixed it. how about the google users who do not have time > to upgrade IE ? > > ----by superhei > hitest > > > > 2011/1/26 Michal Zalewski <lcamtuf@...edump.cx>: >>> 1.www.google.com app don't filter the CRLF >> >> This is not strictly required; there are other scenarios where this >> vulnerability is exploitable. >> >>> 2.IE support mhtml protocol handler to render the mhtml file format, >>> and this is the why mhtml: is designed >> >> The real problem is that when mhtml: is used to fetch the container >> over an underlying protocol, it does not honor Content-Type and >> related headers (or even "nosniff"). >> >> /mz >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists