Re: Yet another IE aperture

[Georgi Guninski <guninski () guninski com>]

i didn't notice you have disclosed this (or a very similar to it bug).

besides me more than 5 people tested variations of the testcase and it worked
for all of them.

can you comment on this testcases:

http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo2.html
http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo.html

redirect1.pl is hosted on apache and is:
-----------------------
#!/usr/bin/perl

print "Location: http://georgi.df.ru/xml2.xml\r\n\r\n";;

-----------------------

note: if the xml is not well formed, parseError returns at least one line of
it, not to mention other exploit scenarios.

-- 
georgi


On Sat, Oct 09, 2004 at 03:28:25AM +0200, GreyMagic Security wrote:
> > Georgi Guninski security advisory #71, 2004
> > http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html
>
> .. snip ..
>
> > By opening html in IE it is possible to read at least well formed xml from
> > arbitrary servers. The info then may be transmitted.
>
> GreyMagic disclosed the EXACT same issue on August 2002, over two years ago.
> Microsoft, at the time, took over 6 months to resolve the issue (initially
> reported to them on Feb 2002) and eventually released a patch (MS02-047).
>
> See http://www.greymagic.com/security/advisories/gm009-ie/ for more details
> and a live PoC (it also shows a neat method to get partial content from
> documents that aren't well-formed xml).
>
> That said, all our tests of this issue currently throw an "Access denied"
> exception, as they properly should. However, these tests are performed in
> the Internet Zone. Your tests might have been performed in another zone that
> had "Access data sources across domains" set to "Enabled," which would
> enable this vulnerability by design.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html