Bugtraq mailing list archives
Re: IIS still revealing paths for web directories
From: nl () CT HEISE DE (Norbert Luckhardt)
Date: Sat, 15 Jan 2000 21:32:01 +0100
Hello out there, At 11:10 13.01.00 , Georgi Guninski wrote:
This leads to a client side problem also. The problem is IIS does not escape the response, so one may put some HTML and javascript in the page returned from www.microsoft.com. Vulnerabilities: 1) For IE (tested on 5.01, probably other versions) - if the user has put www.microsoft.com in the Trusted sites security zone, then hostile javascript and ActiveX may be executed in the Trusted sites security zone.
even if You mind to see <anyhost>.microsoft.com as a trusted site - it also works with the update host where You need more rights to use it :-( http://windowsupdate.microsoft.com/%3CIMG%20SRC=javascript:alert("Insecurity starts here!\nwindow.location:"+window.location)%3E.ida [URL probably wrapped] this also works with IE (5.0 DE) and IMG SRC - I do not have to reload the page (I guess it's because of the last IE Bug Georgi found - IE starts it in the security context of the previuosly used page - when pasting the URL in the location field it does not start when the previous URL was not able to execute JS) more over: the <P>-URL puts up the dialog again immediately after closing the box, so that You have to kill IE... http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location :"+window.location))%3E.ida [URL probably wrapped] have secure fun, Shalom dann, NOrbert -- Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/ Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417 Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301
Current thread:
- Unixware ppptalk, (continued)
- Unixware ppptalk what's your style? (Jan 19)
- Re: Unixware ppptalk Andrew Malcolm (Jan 21)
- Re: IIS still revealing paths for web directories Henrik Nordstrom (Jan 15)
- Re: IIS still revealing paths for web directories Antonio Ropero (Jan 15)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 18)
- SRS Addendum Matt Conover (Jan 12)
- Re: IIS still revealing paths for web directories Georgi Guninski (Jan 13)
- Re: IIS still revealing paths for web directories Scott Buchanan (Jan 13)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)