Vulnwatch mailing list archives
Re: FW: failure notice
From: "Michael Evanchik" <mike () michaelevanchik com>
Date: Tue, 28 Mar 2006 21:38:52 -0500
far as i know html is not dangerous even in local zone with IE ( not including the 0 day exploit thats out now) ----- Original Message ----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] To: Ken Pfeil Cc: vulnwatch () vulnwatch org Sent: Tuesday, March 28, 2006 5:38 PM Subject: Re: [VulnWatch] FW: failure notice But I don't get it... It's still an untrusted web site...Sharepoint "is" a web site. And if you don't know who's site it is... it still falls into the guidance of "it's not a trusted web site". Besides... antivirus vendors are so far protecting us.. Ken Pfeil wrote: >Just in case anyone uses IE with Sharepoint.. Boom. > >----- Forwarded message from secure () microsoft com ----- > Date: Tue, 28 Mar 2006 11:47:12 -0800 > From: Microsoft Security Response Center <secure () microsoft com> >Reply-To: Microsoft Security Response Center <secure () microsoft com> > Subject: RE: Another Attack Vector > To: Ken () infosec101 org > >Hi Ken, > >Thanks for getting back to me. I will pass your comments on to the case >manager handling this behavior with the SharePoint team. > >Thanks, >Christopher, CISSP > >-----Original Message----- >From: Ken () infosec101 org [mailto:Ken () infosec101 org] >Sent: Tuesday 28 March 2006 11:42 >To: Microsoft Security Response Center >Subject: RE: Another Attack Vector > >Thank you Christopher, > >But there are a bazillion different scenarios where this could be >slightly more than detrimental. There are literally hundreds of sites >using Sharepoint for blogs, and anonymous access is an option turned on >by default. For a real working example, please open the file >IE_Exploit.txt on the below site and watch filemon dance a jig.. > >Best, >Ken > > >Quoting Microsoft Security Response Center <secure () microsoft com>: > > > >>Hi Ken, >> >>Thanks for your note. This is by-design behavior with SharePoint and >>Internet Explorer and, as you mentioned, is related to IE MIME type >>detection. The mitigating circumstance in this scenario is that >>SharePoint sites are authenticated and it would be possible to "audit >>and punish" the attacker. Just the same, I'll pass this on to the case >> >> > > > >>manager for this investigation. >> >>Thanks, >>Christopher, CISSP >> >>-----Original Message----- >>From: Ken () infosec101 org [mailto:Ken () infosec101 org] >>Sent: Tuesday 28 March 2006 09:16 >>To: Microsoft Security Response Center >>Subject: Another Attack Vector >> >>There is yet another attack vector for createTextRange() (besides >>untrusted websites). Windows Sharepoint. If you create a txt file with >> >> > > > >>html tags and post it, say in "Shared Documents", IE will render it as >> >> > > > >>HTML in the browser when the document is clicked on instead of >>displaying as text. Example: >>https://foo.org/Shared%20Documents/test2.txt (code is >>simple html here, but could have been dangerous). You might want to >>update your advisory to include this. >> >>(And, I know you can de-select "Open Files Based on Content, not file >>extension" under IE, but that opens your host to *other* >>vulnerabilites.) >> >>Username for the system above for a sample doc is: >>testuser with password of password. >> >>Best, >>Ken >> >> >> >> > > > > > >----- End forwarded message ----- > > > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com
Current thread:
- FW: failure notice Ken Pfeil (Mar 28)
- Re: FW: failure notice Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 28)
- Re: FW: failure notice Michael Evanchik (Mar 29)
- Re: FW: failure notice Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 28)