Re: IIS still revealing paths for web directories

[nl () CT HEISE DE (Norbert Luckhardt)]

Hello out there,

At 11:10 13.01.00 , Georgi Guninski wrote:
> This leads to a client side problem also.
> The problem is IIS does not escape the response, so one may put some
> HTML and javascript in the page returned from www.microsoft.com.
> Vulnerabilities:
> 1) For IE (tested on 5.01, probably other versions) - if the user has
> put www.microsoft.com in the Trusted sites security zone, then hostile
> javascript and ActiveX may be executed in the Trusted sites security
> zone.

even if You mind to see <anyhost>.microsoft.com as a trusted site - it also
works with the update host where You need more rights to use it :-(

http://windowsupdate.microsoft.com/%3CIMG%20SRC=javascript:alert("Insecurity
 starts here!\nwindow.location:"+window.location)%3E.ida

[URL probably wrapped]

this also works with IE (5.0 DE) and IMG SRC - I do not have to reload the
page (I guess it's because of the last IE Bug Georgi found - IE starts it
in the security context of the previuosly used page - when pasting the URL
in the location field it does not start when the previous URL was not able
to execute JS)

more over: the <P>-URL puts up the dialog again immediately after closing
the box, so that You have to kill IE...

http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location
:"+window.location))%3E.ida

[URL probably wrapped]

have secure fun, Shalom dann,
NOrbert

--
Norbert Luckhardt   http://www.heise.de/ct/Redaktion/nl/
Redaktion c't       Tel.: +49 511 5352 - 300    Fax: +49 511 5352 - 417
Helstorfer Str. 7   D-30625 Hannover            BBS: +49 511 5352 - 301