[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=foD2Eupjmz4Lgye9UcDH2u7JcvO6nTk57K6_5@mail.gmail.com>
Date: Thu, 27 Jan 2011 23:22:08 +1100
From: laurent gaffie <laurent.gaffie@...il.com>
To: IEhrepus <5up3rh3i@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: www.google.com xss vulnerability Using mhtml
Not a google vuln.
Hunt down MSFT to pay for your bug.
Oh wait they dont pay for free research.. 0noz, you wont get any candy !
2011/1/27, IEhrepus <5up3rh3i@...il.com>:
> Security is a general,Many security issues are composed of many
> different vulnerabilities of different factory.
>
> like " mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx " this vul
>
> ----------------------------------------------------------------
> so we come back this vul need two Conditions
> 1.www.google.com app don't filter the CRLF
> 2.IE support mhtml protocol handler to render the mhtml file format,
> and this is the why mhtml: is designed
> --------------------------------------------------------------
>
> Both are indispensable. so google's vul is that don't take into
> account the security implications using mhtml,
>
> the MS vul is that "it does not honor Content-Type and related headers
> (or even "nosniff")." like MZ saiy
>
> GG and MS ,both are vul...
>
> in addition, if MS saiy this is mhtml: 's original function, So google
> is very dangerous to the user who using IE
>
> Even if MS fixed it. how about the google users who do not have time
> to upgrade IE ?
>
> ----by superhei
> hitest
>
>
>
> 2011/1/26 Michal Zalewski <lcamtuf@...edump.cx>:
>>> 1.www.google.com app don't filter the CRLF
>>
>> This is not strictly required; there are other scenarios where this
>> vulnerability is exploitable.
>>
>>> 2.IE support mhtml protocol handler to render the mhtml file format,
>>> and this is the why mhtml: is designed
>>
>> The real problem is that when mhtml: is used to fetch the container
>> over an underlying protocol, it does not honor Content-Type and
>> related headers (or even "nosniff").
>>
>> /mz
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists