Bugtraq mailing list archives
RE: New Internet Explorer Cross Zone/Site Scripting Vulnerability
From: "Thor Larholm" <tlarholm () pivx com>
Date: Wed, 3 Mar 2004 11:49:44 -0800
This is not a new vulnerability but was covered on Bugtraq in September by jelmer and Liu Die Yu. Jelmer highlighted the Media Bar Ressource Injection vulnerability in his exploit published on September 11, 2003 at http://securityfocus.com/archive/1/337285 Which followed Liu Die Yus post on September 10 about a Search Pane Injection vulnerability at http://www.securityfocus.com/archive/1/336931 However, both failed to elaborate that the _media and _search injections are possible through not only the FILE protocol but also the HTTP protocol. Your proof-of-concept is a good demonstration on how to extend these 2 related vulnerabilities to also cover arbitrary webpages such as Google or Passport. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Cheng Peng Su [mailto:apple_soup () msn com] Sent: Wednesday, March 03, 2004 4:47 AM To: bugtraq () securityfocus com Subject: New Internet Explorer Cross Zone/Site Scripting Vulnerability Snip http://www.securityfocus.com/archive/1/356083/2004-02-29/2004-03-06/0
Current thread:
- New Internet Explorer Cross Zone/Site Scripting Vulnerability Cheng Peng Su (Mar 03)
- <Possible follow-ups>
- RE: New Internet Explorer Cross Zone/Site Scripting Vulnerability Thor Larholm (Mar 03)