Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New Internet Explorer Cross Zone/Site Scripting Vulnerability

From: "Thor Larholm" <tlarholm () pivx com>
Date: Wed, 3 Mar 2004 11:49:44 -0800
This is not a new vulnerability but was covered on Bugtraq in September
by jelmer and Liu Die Yu.

Jelmer highlighted the Media Bar Ressource Injection vulnerability in
his exploit published on September 11, 2003 at

http://securityfocus.com/archive/1/337285

Which followed Liu Die Yus post on September 10 about a Search Pane
Injection vulnerability at

http://www.securityfocus.com/archive/1/336931

However, both failed to elaborate that the _media and _search injections
are possible through not only the FILE protocol but also the HTTP
protocol. Your proof-of-concept is a good demonstration on how to extend
these 2 related vulnerabilities to also cover arbitrary webpages such as
Google or Passport. 


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Cheng Peng Su [mailto:apple_soup () msn com] 
Sent: Wednesday, March 03, 2004 4:47 AM
To: bugtraq () securityfocus com
Subject: New Internet Explorer Cross Zone/Site Scripting Vulnerability



Snip
http://www.securityfocus.com/archive/1/356083/2004-02-29/2004-03-06/0
Previous By Date Next
Previous By Thread Next

Current thread: