Full Disclosure mailing list archives
RE: The *real* reason the pivx unpatched IE flaws page was taken offline?
From: Raymond Morsman <raymond () dyn org>
Date: Thu, 11 Dec 2003 14:54:03 +0000
Citeren List Account <list.account () cerdant com>:
Does anyone have an archived copy of the page(s) they would be willing to share with the list?
lynx -dump: PivX Logo [4]Home | [5]StrikeFirst | [6]Solutions | [7]Press & Papers | [8]Clients | [9]Research | [10]Contact Unpatched IE security holes Please note: this site will work in any browser and on any device, however will look much nicer on CSS-compatible browsers. If you are using a browser that supports CSS, please wait while the CSS file loads and this message will disappear. If you wish to enjoy the web to the fullest, please [11]upgrade to a standards-compatible browser. Why this page ? This page is a list of vulnerabilities that remain unpatched, it is our hope that the increased awareness brought forth may help further the research necessary to properly secure them. Vulnerabilities listed on this page work (among others) with the latest versions of Internet Explorer, with all patches installed. Until proper patches have been provided, the only fix to some of these vulnerabilities is to disable scripting. This page is, and always will be, a work in progress. This is not a definitive list of vulnerabilities. [12]Back Miscellaneous news 11 September 2003: There are currently 31 unpatched vulnerabilities. The latest cumulative Internet Explorer patch is released August 20, 2003 with the identifier [13]MS03-032. Cumulative patches combine all previous IE patches, and should be considered mandatory installs. 11 September 2003: Added Media bar ressource injection by jelmer 10 September 2003: Added file-protocol proxy by Liu Die Yu 10 September 2003: Added NavigateAndFind protocol history by Liu Die Yu 10 September 2003: Added window.open search injection by Liu Die Yu 10 September 2003: Added NavigateAndFind file proxy by Liu Die Yu 10 September 2003: Added Timed history injection by Liu Die Yu 10 September 2003: Added history.back method caching by Liu Die Yu 10 September 2003: Added Click hijacking by Liu Die Yu 9 September 2003: Re-added Re-evaluating HTML elavation 26 August 2003: Added ADODB.Stream local file writing by jelmer 20 August 2003: Changed latest cumulative IE patch link, [14]MS03-032 released 5 August 2003: Added Notepad popups by Richard M. Smith 4 August 2003: Added protocol control chars by badWebMasters [15]Older news... Unpatched vulnerabilities Media bar ressource injection Description: Arbitrary file download and execution, by ability to load ressource files in a window object Reference: [16]http://lists.netsys.com/pipermail/full-disclosure/2003-September/0 09917.html Exploit: [17]http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm file-protocol proxy Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [18]http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content .HTM Exploit: [19]http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage. HTM NavigateAndFind protocol history Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [20]http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Con tent.HTM Exploit: [21]http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyP age.HTM window.open search injection Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [22]http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM Exploit: [23]http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm NavigateAndFind file proxy Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [24]http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM Exploit: [25]http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm Timed history injection Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [26]http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content .HTM Exploit: [27]http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyP age.HTM history.back method caching Description: cross-domain scripting, cookie/data/identity theft, command execution Reference: [28]http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM Exploit: [29]http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM Click hijacking Description: Pointing IE mouse events at non-IE/system windows Reference: [30]http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM Exploit: [31]http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM Re-evaluating HTML elavation dataSrc command execution Description: Allows execution of arbitrary commands in Local Zones Detail: This bug is related to the codebase local path bug, but details the actual issue and runs without scripting or ActiveX enabled Published: February 28th 2002 Reference: [32]http://security.greymagic.com/adv/gm001-ie/ Example exploit: [33]http://security.greymagic.com/adv/gm001-ie/advbind.asp Note: See [34]6th May 2003 Notes. Notes September 2003: Renamed and re-added, symptom fixed instead of problem. Now demonstrates how to reach HTA functionality. Reference: [35]http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html Example exploit: [36]http://www.malware.com/badnews.html Example exploit without scripting: [37]http://www.malware.com/greymagic.html Temporary workaround: Change the mime-type application/hta to something else ADODB.Stream local file writing Description: Planting arbitrary files on the local file system Exploit: [38]http://ip3e83566f.speed.planet.nl/eeye.html (but unrelated to the EEye exploit) Notepad popups Description: Opening popup windows without scripting Reference: [39]http://computerbytesman.com/security/notepadpopups.htm Followup: [40]http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html Note: This is just an example of the problem, this entry will be replaced when more material is published protocol control chars Description: Circumventing content filters Reference: [41]http://badwebmasters.net/advisory/012/ Exploit: [42]http://badwebmasters.net/advisory/012/test2.asp WMP local file bounce Description: Switching security zone, arbitrary command execution, automatic email-borne command execution Reference: [43]http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntb ugtraq&F=P&S=&P=6783 Exploit: [44]http://www.malware.com/once.again!.html HTTP error handler Local Zone XSS Description: HTML/Script injection in the Local Zone Reference: [45]http://sec.greymagic.com/adv/gm014-ie/ Exploit: [46]http://sec.greymagic.com/adv/gm014-ie/ XSS in Unparsable XML Files Description: Cross-Site Scripting on any site hosting files that can be misrendered in MSXML Reference: [47]http://sec.greymagic.com/adv/gm013-ie/ Exploit: [48]http://sec.greymagic.com/adv/gm013-ie/ Alexa Related Privacy Disclosure Description: Unintended disclosure of private information when using the Related feature Reference: [49]http://www.secunia.com/advisories/8955/ Reference: [50]http://www.imilly.com/alexa.htm Basic Authentication URL spoofing Description: Spoofing the URL displayed in the Address bar Reference: [51]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html DNSError folder disclosure Description: Gaining access to local security zones Reference: [52]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html mhtml wecerr CAB flip Description: Delivery and installation of an executable Reference: [53]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html WebFolder data Injection Description: Injecting arbitrary data in the My Computer zone Reference: [54]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html codebase local path Description: Allows execution of arbitrary commands in Local Zones Hinted: June 25th 2000 by Dildog Reference: [55]http://online.securityfocus.com/archive/1/66869 Hinted: November 23rd 2000 by Georgi Guninski Reference: [56]http://www.guninski.com/parsedat-desc.html Published: January 10th 2002, by thePull (incorrectly labeled the "Popup object" vulnerability) Reference: [57]http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html Example exploit: [58]http://home.austin.rr.com/wiredgoddess/thepull/funRun.html Note: See [59]6th May 2003 Notes. Web Archive buffer overflow Description: Possible automated code execution. Reference: [60]http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html dragDrop invocation Description: Arbitrary local file reading through native Windows dragDrop invocation. Reference: [61]http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html Exploit: [62]http://kuperus.xs4all.nl/security/ie/xfiles.htm document.domain parent DNS resolver Description: Improper duality check leading to firewall breach Published: July 29 2002 Reference: [63]http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-0 8-02/0 FTP Folder View XSS Description: Elevating privileges, running script in the My Computer zone, arbitrary command execution, etc. Published: June 7th 2002 (Microsoft was notified December 21st 2001.) Reference: [64]http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html Exploit: [65]http://jscript.dk/Jumper/xploit/ftpfolderview.html DynSrc Local File detection Description: Detect if a local file exists, and read its size/date Published: March 27th 2002 Reference: [66]http://security.greymagic.com/adv/gm003-ie/ Status: Patched in IE6 by [67]IE6 Service Pack 1, but IE5 and 5.5 are still vulnerable. Security zone transfer Description: Automatically opening IE + Executing attachments Published: March 22nd 2002 Reference: [68]http://security.greymagic.com/adv/gm002-ie/ Extended HTML Form Attack Description: Cross Site Scripting through non-HTTP ports, stealing cookies, etc. Published: February 6th 2002 Reference: [69]http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerabl e-to-extended-form-attack.htm "script src" local file enumeration Description: Enables a malicious programmer to detect if a local file exists. Published: January 3rd 2002 Reference: [70]http://www.securityfocus.com/bid/3779 Example exploit: [71]http://jscript.dk/Jumper/xploit/scriptsrc.html IE https certificate attack Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime Published: December 22 2001 ( Stefan Esser ) Published: June 6 2000 ( ACROS ) Reference: [72]http://security.e-matters.de/advisories/012001.html Example exploit: [73]http://suspekt.org/ Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch. Patched vulnerabilities These used to be listed on this page, but have now been patched. Hopefully, this means that this page is working as expected. Content-Disposition/Type Description: Allows spoofing of filename in download dialog Published: November 26th 2001 Reference: [74]http://www.securityfocus.com/cgi-bin/archive.pl?id=1&threads=1&tid =242376 Patched: December 13th 2001 ( [75]http://www.microsoft.com/technet/security/bulletin/MS01-058.asp ) Re-Published: December 16th (by HTTP-EQUIV, patch didn't work) Reference: [76]http://online.securityfocus.com/archive/88/245822 Example exploit: [77]http://jscript.dk/Jumper/xploit/contentspoof.asp [78]Finally patched by MS02-005 (nice touch about blurring Open) XMLHTTP Description: Allows reading of local files Published: December 15th 2001 Reference: [79]http://www.securityfocus.com/bid/3699 Example exploit: [80]http://jscript.dk/Jumper/xploit/xmlhttp.asp [81]Finally completely patched by MS02-008 document.open Description: Allows cross-domain scripting (reading cookies from other site, etc.) Published: December 19th 2001 Reference: [82]http://www.securityfocus.com/bid/3721 Example exploits: [83]http://tom.me.uk/MSN/ & [84]http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html [85]Patched by MS02-005 GetObject Description: Allows reading of local files (any type, even binary) Published: January 1st 2002 Reference: [86]http://www.securityfocus.com/bid/3767 Example exploit: [87]http://jscript.dk/Jumper/xploit/GetObject.html [88]Patched by MS02-005 Cookie-based Script Execution Description: Injecting script in the Local Zone. Published: April 3rd 2002 Reference: [89]http://online.securityfocus.com/archive/1/265459 Status: Partly patched by [90]MS02-015, easily circumvented. [91]Patched by MS02-023 File download execution Description: Download and execute any program automatically Published: March 18th 2002 Reference: [92]http://www.lac.co.jp/security/english/snsadv_e/48_e.html History: Added March 23rd, removed March 26th, re-added March 27th Details: [93]http://www.newsbytes.com/news/02/175484.html [94]Patched by MS02-023 OWC Local File Detection Description: Multiple local files detection issues Published: April 8th 2002 Reference: [95]http://security.greymagic.com/adv/gm008-ie/ Exploit: [96]http://security.greymagic.com/adv/gm008-ie/ [97]Pached by MS02-044 OWC Clipboard Access Description: Complete clipboard access even with Clipboard Disabled Published: April 8th 2002 Reference: [98]http://security.greymagic.com/adv/gm007-ie/ Exploit: [99]http://security.greymagic.com/adv/gm007-ie/ [100]Pached by MS02-044 OWC Local File Reading Description: Reading local and remote files with OWC in IE Published: April 8th 2002 Reference: [101]http://security.greymagic.com/adv/gm006-ie/ Exploit: [102]http://security.greymagic.com/adv/gm006-ie/ [103]Pached by MS02-044 OWC Scripting Description: Running script even with Scripting Disabled Published: April 8th 2002 Reference: [104]http://security.greymagic.com/adv/gm005-ie/ Exploit: [105]http://security.greymagic.com/adv/gm005-ie/advowcscr.asp [106]Pached by MS02-044 Remote dialogArguments interaction Description: Elevating privileges, hijacking MSN Messenger, running script in the My Computer zone, arbitrary command execution, etc. Published: April 16th 2002 Reference: [107]http://jscript.dk/adv/TL002/ Exploit: [108]http://jscript.dk/adv/TL002/ Appendix: Extending the vulnerable version from just IE6 to IE5 and higher. Reference and exploit: [109]http://security.greymagic.com/adv/gm001-ax/ Status: Partly patched by [110]MS02-023, IE6 appears fixed while IE5.5 and 5 are still wide open. Patched by MS02-047 Gopher buffer overflow Description: Delivery and execution of arbitrary code Published: June 4th 2002 Reference: [111]http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en Workaround: [112]http://www.microsoft.com/technet/security/bulletin/MS02-027.asp Third-party fix: [113]http://www.pivx.com/gopher_smoker.html Patched by MS02-047 object Cross Domain Scripting Description: Elevating privileges, arbitrary command execution, local file reading, stealing arbitrary cookies, etc. Published: July 10 2002 Reference: [114]http://www.pivx.com/larholm/adv/TL003/ Exploit: [115]http://www.pivx.com/larholm/adv/TL003/ Patched by MS02-047 IE dot bug Description: Overriding filetype handlers on local files Published: May 19th 2002 Reference: [116]http://online.securityfocus.com/archive/1/273168/2002-05-18/2002- 05-24/0 Patched by MS02-047 XP Help deleter Description: Arbitrary local file/folder deletion. Published: August 15 2002 Reference: [117]http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00224.htm l Exploit: [118]http://jscript.dk/2002/8/sec/xphelpdelete.html [119]Patched by Windows XP SP1 delegated SSL authority Description: HTTPS spoofing, man-in-the-middle attacks, etc. Published: August 6 2002 Reference: [120]http://www.thoughtcrime.org/ie-ssl-chain.txt Reference: [121]http://arch.ipsec.pl/inteligo.html Exploit: [122]http://www.thoughtcrime.org/ie.html [123]Appears patched by MS02-050 Who framed Internet Explorer Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc. Published: September 9 2002 Reference: [124]http://sec.greymagic.com/adv/gm010-ie/ Exploit: [125]http://sec.greymagic.com/adv/gm010-ie/wfsimple.html Patched by MS02-066 iframe Document - The D-day Description: Circumventing zone sandboxing, XSS, cookie theft, local file reading / execution Published: October 15 2002 Reference: [126]http://security.greymagic.com/adv/gm011-ie/ Exploits: [127]http://security.greymagic.com/adv/gm011-ie/ Patched by MS02-066 object zone redirection Description: Circumventing the zone restrictions introduced by IE6 SP1 Published: September 10 2002 Reference: [128]http://www.pivx.com/larholm/adv/TL005/ Reference: [129]http://online.securityfocus.com/bid/5730/discussion/ Patched by MS02-066 showModalDialog method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [130]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [131]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 createRange method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [132]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [133]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 elementFromPoint method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [134]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [135]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 getElementById method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [136]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [137]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 getElementsByName method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [138]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [139]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 getElementsByTagName method caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [140]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [141]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 execCommand method caching Description: Read access to the foreign document. Published: October 22 2002 Reference: [142]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [143]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Patched by MS02-066 document.write method caching Description: Spoofing of content Published: October 21 2002 Reference: [144]http://online.securityfocus.com/archive/1/296371/2002-10-19/2002- 10-25/0 Exploit: [145]http://clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section. Patched by MS02-066 "assign" method caching Description: Circumventing zone sandboxing, cross-protocol scripting, cookie theft, and possible local file reading / execution Published: October 1 2002 Reference: [146]http://online.securityfocus.com/archive/1/293692/2002-09-29/2002- 10-05/0 Exploit: [147]http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm Exploit: [148]http://jscript.dk/2002/10/sec/SaveRefLocalFile.html (local file reading and execution) Patched by MS02-066 Slash URL encoding XSS Description: Arbitrary Cross Domain Scripting, cookie theft, etc. Published: September 3 2002 Reference: [149]http://online.securityfocus.com/archive/1/290220/2002-09-01/2002- 09-07/0 Exploit: [150]http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.ht m Patched by MS02-066 HTML Help ActiveX Description: stack and heap based buffer overflows, DOS Published: May 27th 2002 Reference: [151]http://www.nextgenss.com/vna/ms-whelp.txt Reference: [152]http://online.securityfocus.com/bid/4857 Believed to be Patched by MS02-066 external object caching Description: Circumventing security zones, XSS, cookie theft, local file reading / execution, etc. Published: October 22 2002 Reference: [153]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [154]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) [155]Patched by MS02-068 MS JVM native method vulnerabilities Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc. Published: September 9 2002 Reference: [156]http://www.solutions.fi/index.cgi/news_2002_09_09?lang=eng [157]Patched by MS03-011 Self-executing HTML Help Description: Delivery and execution of arbitrary programs Published: June 1st 2002 Reference: [158]http://www.malware.com/yelp.html Reference: [159]http://online.securityfocus.com/archive/1/275126 Exploit: [160]http://www.malware.com/html.zip [161]Patched by MS03-015 cross-frame dialogArguments access Description: Circumventing security zones, local file reading / execution, etc. Published: November 20 2002 Reference: [162]http://online.securityfocus.com/archive/1/300525/2002-11-17/2002- 11-23/0 Exploit: [163]http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.ht m Extended Exploit: [164]http://security.greymagic.com/misc/globalDgArg/ [165]Patched by MS03-015 clipboardData object caching Description: Read/write access to the clipboard, regardless of settings. Published: October 22 2002 Reference: [166]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) Exploit: [167]http://sec.greymagic.com/adv/gm012-ie (cumulative advisory) [168]Patched by MS03-015 Java XMLDSO base tag Description: Arbitrary local file reading. Published: August 17 2002 Reference: [169]http://online.securityfocus.com/archive/1/287895/2002-08-15/2002- 08-21/0 Exploit: [170]http://www.xs4all.nl/~jkuperus/msieread.htm Patched by [171]MS03-011 and [172]MS03-015 CTRL-key file upload focus Description: Local file reading, downloading and executing arbitrary code. Published: July 23 2002 Reference: [173]http://online.securityfocus.com/archive/1/283866/2002-07-21/2002- 07-27/0 Exploit: [174]http://jscript.dk/2002/7/sec/sandbladctrl.html (corrected to include SHIFT) [175]Patched by MS03-015 Back Button CSS Description: Read cookies/local files and execute code (triggered when user hits the back button) Published: April 15th 2002 Reference: [176]http://online.securityfocus.com/archive/1/267561 [177]Patched by MS03-015 HELP.dropper (IE6, OE6, Outlook) Description: Silent delivery and installation of an executable on a target computer Published: March 28th 2002 Reference and example exploit: [178]http://www.malware.com/lookout.html Reference: [179]http://online.securityfocus.com/archive/1/264590 [180]Patched by MS03-015 JVM Bytecode Verifier Description: Escaping applet sandbox restrictions, taking any action. Published: November 21 2002 Reference: [181]http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html Reference / POC: [182]http://lsd-pl.net/java_security.html [183]Patched by MS03-011 Embedded files XSS Description: XSS to arbitrary sites, cookie theft Reference: [184]http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/218.html Exploit: [185]http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.ht m [186]Patched by MS03-015 dialog style XSS Description: security zone XSS, cookie theft, monitoring the user. Published: December 3 2002 Reference: [187]http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/29.html Exploit: [188]http://jscript.dk/2002/11/sec/diemodalstyleXSS.html [189]Patched by MS03-015 WMP Stench Description: Silent delivery and installation of an executable on a target computer Published: August 21 2002 Reference: [190]http://www.malware.com/stench.html Exploit: [191]http://www.malware.com/malware.php [192]Patched by MS03-015 cssText Local File Reading Description: Reading portions of local files, depending on structure. Published: April 2nd 2002 Reference: [193]http://security.greymagic.com/adv/gm004-ie/ Exploit: [194]http://security.greymagic.com/adv/gm004-ie/ [195]Patched by MS03-015 object longtype Description: Code execution Reference: [196]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/49.html Exploit: [197]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/78.html [198]Patched by MS03-020 remote file request flooding Description: Arbitrary remote file execution Reference: [199]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/130.html Reference: [200]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/147.html Exploit: [201]http://www.malware.com/forceframe.html [202]Patched by MS03-020 local file request flooding Description: Arbitrary local file execution Reference: [203]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/85.html [204]Patched by MS03-020 align buffer overflow Description: Buffer overflow, arbitrary code execution Reference: [205]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/170.html [206]Patched by MS-3_023 Related patches MS02-008 Patches: XMLHTTP Published: February 22nd 2002 (21st February in USA) Location: [207]http://www.microsoft.com/technet/security/bulletin/MS02-008.asp MS02-044 Patches: OWC Local File Detection, OWC Clipboard Access, OWC Local File Reading & OWC Scripting Published: August 20th 2002 Location: [208]http://microsoft.com/technet/security/bulletin/MS02-044.asp IE6 Service Pack 1 Patches: cssText and DynSrc Published: September 9th 2002 Location: [209]http://microsoft.com/windows/ie/downloads/critical/ie6sp1/ Windows XP Service Pack 1 Patches: Everything IE6 SP1 patches, and XP Help deleter Published: September 9th 2002 Location: [210]http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1 / MS02-050 Patches: delegated SSL authority Published: September 4th 2002, last updated October 17th 2002 Location: [211]http://microsoft.com/technet/security/bulletin/MS02-050.asp MS03-011 Patches: ByteCode Verifier and all previous JVM related vulnerabilities, this is MS JVM build 3810. Published: April 9th 2003 Location: [212]http://www.microsoft.com/technet/security/bulletin/MS03-011.asp MS03-020 Notice: This is the latest IE cumulative patch. This combines all previous IE patches. Patches: object longtype overflow Published: June 4th 2003 Location: [213]http://www.microsoft.com/technet/security/bulletin/MS03-020.asp MS03-032 Notice: This is the latest IE cumulative patch. This combines all previous IE patches. Patches: OBJECT HTA execution, and other not publicly known vulnerabilities Published: August 20th 2003 Location: [214]http://www.microsoft.com/technet/security/bulletin/MS03-032.asp MS03-023 Patches: align buffer overflow Published: July 10 2003 Location: [215]http://www.microsoft.com/technet/security/bulletin/MS03-023.asp Who Please mail any questions or comments to Thor Larholm - [216]thor () pivx com thor (at) pivx (dot) com Copyright 2002 Pivx Solutions, LLC. All rights reserved. References 1. http://www.google.com/help/features.html#cached 2. http://www.pivx.com/larholm/unpatched/ 3. http://www.pivx.com/larholm/unpatched/ 4. http://www.pivx.com/main.html 5. http://www.pivx.com/sf.html 6. http://www.pivx.com/solutions.html 7. http://www.pivx.com/writings.html 8. http://www.pivx.com/clients.html 9. http://www.pivx.com/research/ 10. http://www.pivx.com/contact.html 11. http://www.webstandards.org/upgrade/ 12. http://www.pivx.com/larholm/ 13. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_032 14. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_032 15. http://www.pivx.com/larholm/unpatched/archivednews.html 16. http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html 17. http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm 18. http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM 19. http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage.HTM 20. http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM 21. http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyPage.HTM 22. http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM 23. http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm 24. http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM 25. http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm 26. http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM 27. http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyPage.HTM 28. http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM 29. http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM 30. http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM 31. http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM 32. http://security.greymagic.com/adv/gm001-ie/ 33. http://security.greymagic.com/adv/gm001-ie/advbind.asp 34. http://www.pivx.com/larholm/unpatched/6may03notes.html 35. http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html 36. http://www.malware.com/badnews.html 37. http://www.malware.com/greymagic.html 38. http://ip3e83566f.speed.planet.nl/eeye.html 39. http://computerbytesman.com/security/notepadpopups.htm 40. http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html 41. http://badwebmasters.net/advisory/012/ 42. http://badwebmasters.net/advisory/012/test2.asp 43. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=6783 44. http://www.malware.com/once.again%21.html 45. http://sec.greymagic.com/adv/gm014-ie/ 46. http://sec.greymagic.com/adv/gm014-ie/ 47. http://sec.greymagic.com/adv/gm013-ie/ 48. http://sec.greymagic.com/adv/gm013-ie/ 49. http://www.secunia.com/advisories/8955/ 50. http://www.imilly.com/alexa.htm 51. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html 52. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html 53. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html 54. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html 55. http://online.securityfocus.com/archive/1/66869 56. http://www.guninski.com/parsedat-desc.html 57. http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html 58. http://home.austin.rr.com/wiredgoddess/thepull/funRun.html 59. http://www.pivx.com/larholm/unpatched/6may03notes.html 60. http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html 61. http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html 62. http://kuperus.xs4all.nl/security/ie/xfiles.htm 63. http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-08-02/0 64. http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html 65. http://jscript.dk/Jumper/xploit/ftpfolderview.html 66. http://security.greymagic.com/adv/gm003-ie/ 67. http://www.pivx.com/larholm/unpatched/patch_IE6SP1 68. http://security.greymagic.com/adv/gm002-ie/ 69. http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerable-to-extended-form-attack.htm 70. http://www.securityfocus.com/bid/3779 71. http://jscript.dk/Jumper/xploit/scriptsrc.html 72. http://security.e-matters.de/advisories/012001.html 73. http://suspekt.org/ 74. http://www.securityfocus.com/cgi-bin/archive.pl?id=1&threads=1&tid=242376 75. http://www.microsoft.com/technet/security/bulletin/MS01-058.asp 76. http://online.securityfocus.com/archive/88/245822 77. http://jscript.dk/Jumper/xploit/contentspoof.asp 78. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05 79. http://www.securityfocus.com/bid/3699 80. http://jscript.dk/Jumper/xploit/xmlhttp.asp 81. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS08 82. http://www.securityfocus.com/bid/3721 83. http://tom.me.uk/MSN/ 84. http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html 85. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05 86. http://www.securityfocus.com/bid/3767 87. http://jscript.dk/Jumper/xploit/GetObject.html 88. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05 89. http://online.securityfocus.com/archive/1/265459 90. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS15 91. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23 92. http://www.lac.co.jp/security/english/snsadv_e/48_e.html 93. http://www.newsbytes.com/news/02/175484.html 94. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23 95. http://security.greymagic.com/adv/gm008-ie/ 96. http://security.greymagic.com/adv/gm008-ie/ 97. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044 98. http://security.greymagic.com/adv/gm007-ie/ 99. http://security.greymagic.com/adv/gm007-ie/ 100. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044 101. http://security.greymagic.com/adv/gm006-ie/ 102. http://security.greymagic.com/adv/gm006-ie/ 103. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044 104. http://security.greymagic.com/adv/gm005-ie/ 105. http://security.greymagic.com/adv/gm005-ie/advowcscr.asp 106. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044 107. http://jscript.dk/adv/TL002/ 108. http://jscript.dk/adv/TL002/ 109. http://security.greymagic.com/adv/gm001-ax/ 110. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23 111. http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en 112. http://www.microsoft.com/technet/security/bulletin/MS02-027.asp 113. http://www.pivx.com/gopher_smoker.html 114. http://www.pivx.com/larholm/adv/TL003/ 115. http://www.pivx.com/larholm/adv/TL003/ 116. http://online.securityfocus.com/archive/1/273168/2002-05-18/2002-05-24/0 117. http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00224.html 118. http://jscript.dk/2002/8/sec/xphelpdelete.html 119. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_XSP1 120. http://www.thoughtcrime.org/ie-ssl-chain.txt 121. http://arch.ipsec.pl/inteligo.html 122. http://www.thoughtcrime.org/ie.html 123. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_050 124. http://sec.greymagic.com/adv/gm010-ie/ 125. http://sec.greymagic.com/adv/gm010-ie/wfsimple.html 126. http://security.greymagic.com/adv/gm011-ie/ 127. http://security.greymagic.com/adv/gm011-ie/ 128. http://www.pivx.com/larholm/adv/TL005/ 129. http://online.securityfocus.com/bid/5730/discussion/ 130. http://sec.greymagic.com/adv/gm012-ie 131. http://sec.greymagic.com/adv/gm012-ie 132. http://sec.greymagic.com/adv/gm012-ie 133. http://sec.greymagic.com/adv/gm012-ie 134. http://sec.greymagic.com/adv/gm012-ie 135. http://sec.greymagic.com/adv/gm012-ie 136. http://sec.greymagic.com/adv/gm012-ie 137. http://sec.greymagic.com/adv/gm012-ie 138. http://sec.greymagic.com/adv/gm012-ie 139. http://sec.greymagic.com/adv/gm012-ie 140. http://sec.greymagic.com/adv/gm012-ie 141. http://sec.greymagic.com/adv/gm012-ie 142. http://sec.greymagic.com/adv/gm012-ie 143. http://sec.greymagic.com/adv/gm012-ie 144. http://online.securityfocus.com/archive/1/296371/2002-10-19/2002-10-25/0 145. http://clik.to/liudieyu 146. http://online.securityfocus.com/archive/1/293692/2002-09-29/2002-10-05/0 147. http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm 148. http://jscript.dk/2002/10/sec/SaveRefLocalFile.html 149. http://online.securityfocus.com/archive/1/290220/2002-09-01/2002-09-07/0 150. http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm 151. http://www.nextgenss.com/vna/ms-whelp.txt 152. http://online.securityfocus.com/bid/4857 153. http://sec.greymagic.com/adv/gm012-ie 154. http://sec.greymagic.com/adv/gm012-ie 155. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS02_068 156. http://www.solutions.fi/index.cgi/news_2002_09_09?lang=eng 157. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011 158. http://www.malware.com/yelp.html 159. http://online.securityfocus.com/archive/1/275126 160. http://www.malware.com/html.zip 161. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 162. http://online.securityfocus.com/archive/1/300525/2002-11-17/2002-11-23/0 163. http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm 164. http://security.greymagic.com/misc/globalDgArg/ 165. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 166. http://sec.greymagic.com/adv/gm012-ie 167. http://sec.greymagic.com/adv/gm012-ie 168. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 169. http://online.securityfocus.com/archive/1/287895/2002-08-15/2002-08-21/0 170. http://www.xs4all.nl/%7Ejkuperus/msieread.htm 171. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011 172. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015 173. http://online.securityfocus.com/archive/1/283866/2002-07-21/2002-07-27/0 174. http://jscript.dk/2002/7/sec/sandbladctrl.html 175. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 176. http://online.securityfocus.com/archive/1/267561 177. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 178. http://www.malware.com/lookout.html 179. http://online.securityfocus.com/archive/1/264590 180. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015 181. http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html 182. http://lsd-pl.net/java_security.html 183. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011 184. http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/218.html 185. http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm 186. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015 187. http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/29.html 188. http://jscript.dk/2002/11/sec/diemodalstyleXSS.html 189. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015 190. http://www.malware.com/stench.html 191. http://www.malware.com/malware.php 192. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015 193. http://security.greymagic.com/adv/gm004-ie/ 194. http://security.greymagic.com/adv/gm004-ie/ 195. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015 196. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/49.html 197. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/78.html 198. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020 199. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/130.html 200. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/147.html 201. http://www.malware.com/forceframe.html 202. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020 203. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/85.html 204. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020 205. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/170.html 206. file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_023 207. http://www.microsoft.com/technet/security/bulletin/MS02-008.asp 208. http://microsoft.com/technet/security/bulletin/MS02-044.asp 209. http://microsoft.com/windows/ie/downloads/critical/ie6sp1/ 210. http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/ 211. http://microsoft.com/technet/security/bulletin/MS02-050.asp 212. http://www.microsoft.com/technet/security/bulletin/MS03-011.asp 213. http://www.microsoft.com/technet/security/bulletin/MS03-020.asp 214. http://www.microsoft.com/technet/security/bulletin/MS03-032.asp 215. http://www.microsoft.com/technet/security/bulletin/MS03-023.asp 216. mailto:thor () pivx com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The *real* reason the pivx unpatched IE flaws page was taken offline? Jelmer (Dec 11)
- RE: The *real* reason the pivx unpatched IE flaws page was taken offline? List Account (Dec 11)
- RE: The *real* reason the pivx unpatched IE flaws page was taken offline? Raymond Morsman (Dec 11)
- RE: The *real* reason the pivx unpatched IE flaws page was taken offline? Peter Kuhm (Dec 11)
- RE: The *real* reason the pivx unpatched IE flaws page was taken offline? List Account (Dec 11)