RE: IE without Images

["Ian Webb" <webbi () sapc edu>]

I've attached a new error.txt that, when renamed to error.jpg, gives me
the following error:

The XML page cannot be displayed 
Cannot view XML input using style sheet. Please correct the error and
then click the Refresh button, or try again later. 


------------------------------------------------------------------------
--------

An invalid character was found in text content. Error processing
resource 'file:///C:/error.jpg'. 

This seems to indicate that the jpg is indeed being executed as XML. I
can't figure out how to get rid of this 'invalid character', though. I
don't have much XML experience, and I may be missing something simple.

Also, this is on IE6 / WinXP Pro, both fully patched and supposedly not
vulnerable to the sample exploit I pasted in for the body. I don't know
if this has anything to do with the error I'm getting, though. I
couldn't find a cut-and-paste pure XML example that would pop up a
dialog box or some such, and changing the content after the first XML
header line from the original error.txt still gives me this error.


-----Original Message-----
From: Ryan Goetzinger [mailto:rgoetzinger () 1stcomp com] 
Sent: Thursday, July 11, 2002 4:22 PM
To: Andreas Vogler
Cc: vuln-dev () securityfocus com
Subject: RE: IE without Images

When you remove the <?xml version="1.0" encoding="UTF-8"?> tag from the
image, it loads properly.  Actually, you can remove everything in the
file
past the XML declaration there, and it still causes IE to process
indefinitely.  It seems to me that IE is reading it as a .jpg, but then
sees
the XML tag, and assumes it's an XML file, then gets all sorts of
confused.
As to why it never seems to close the file, im not too sure there.  It's
most likely just another IE bug.  Could this possibly lead to running
XML
from image files?

Attached is error.txt, it is just a cut down version of error.jpg, with
just
the headers, and it still processes indefinitely on my IE.  In
actuality, it
seems that "ÿØÿà" (that might not print right on some machines, without
quotes) followed by an XML header is all that it needs.

(IE 5.50.4134.0600 SP2)
(Win2k SP2, semi-current on patches)
Opera 6.01 on my machine is unaffected.

Funniest thing happend after this, i saved the image to disk, and opened
it
in IE from there.  Renamed it to a .tiff because the image has bell.tiff
inside.  Lo and behold, it becomes undeletable from explorer.  Same
thing
goes for ".tif". Why Tif and Tiff, i dont know, other image extensions
and
garbage extensions delete fine... It seems that Explorer tries to
preview
the image, and because IE is integrated into Win2k, IE hangs trying to
load
the image, and keeps it open for a very long time.

How exactly was this image made?  It has Photoshop 7 in the file, with a
date of 2002:07:10, which tells me it was made pretty recently.  Yet
when i
attempt to make similar images in Photoshop, none of them contain that
XML
header.



-Ryan Goetzinger
PGP: DD42 133A 2EAE B584 AC8A  F6EC EEE1 076B EF78 F669

    -----Original Message-----
    From: Andreas Vogler [mailto:lore () animexx de]
    Sent: Thursday, July 11, 2002 4:52 AM
    To: vuln-dev () securityfocus com
    Subject: IE without Images




    There is an jpg Picture which is 22k of size, when it is loaded
    via an IMG  html tag, IE gets messed up, and will not show any
    other pictures , until  you restart your IE. Mayby someone can
    tell whats the reason Here's the Example:
    http://animexx.4players.de/iebug/  See you

Attachment: error.txt
Description: