Full Disclosure mailing list archives
Re: Yet another IE aperture
From: "GreyMagic Security" <security () greymagic com>
Date: Sat, 9 Oct 2004 03:28:25 +0200
Georgi Guninski security advisory #71, 2004 http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html
.. snip ..
By opening html in IE it is possible to read at least well formed xml from arbitrary servers. The info then may be transmitted.
GreyMagic disclosed the EXACT same issue on August 2002, over two years ago. Microsoft, at the time, took over 6 months to resolve the issue (initially reported to them on Feb 2002) and eventually released a patch (MS02-047). See http://www.greymagic.com/security/advisories/gm009-ie/ for more details and a live PoC (it also shows a neat method to get partial content from documents that aren't well-formed xml). That said, all our tests of this issue currently throw an "Access denied" exception, as they properly should. However, these tests are performed in the Internet Zone. Your tests might have been performed in another zone that had "Access data sources across domains" set to "Enabled," which would enable this vulnerability by design. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yet another IE aperture Georgi Guninski (Oct 07)
- <Possible follow-ups>
- Re: Yet another IE aperture GreyMagic Security (Oct 08)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture GreyMagic Security (Oct 09)
- Re: Re: Yet another IE aperture Christian (Oct 10)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture Aviv Raff (Oct 09)