Full Disclosure mailing list archives

Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data

From: Gaurav Kumar <gaurav () securebox org>
Date: Thu, 22 Dec 2005 13:45:41 +0530


Not Exactly !! I wud rather suggest you to do a little more research and
draw any conclusion. Keep those _Security Zones_ in mind before you post
anything...

I did the research on Windows XP SP2

The script with ActiceX and XML was uploaded to
http://www.geocities.com/gaurav_e2/exp.html
The screenshot at the following URL shows the note.xml placed at C:\
while the ethereal is showing POSTing the data to attacker's site.

http://rapidshare.de/files/9619254/gaurav_kumar.JPG.html

Clearly geocities.com is in Internet zone.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: new attack technique? usingJavaScript+XML+OWSPost Data, (continued)
- - - RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
    - RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
    - RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
    - Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
    - Broadcast storm in my network/ any ideas wilder_jeff Wilder (Dec 22)
    - Re: Broadcast storm in my network/ any ideas 3APA3A (Dec 22)
    - Re: Broadcast storm in my network/ any ideas TheGesus (Dec 22)
    - Re: Broadcast storm in my network/ any ideas J.A. Terranson (Dec 22)
    - Re: new attack technique? usingJavaScript+XML+OWSPost Data Morning Wood (Dec 22)
    - Re: new attack technique? usingJavaScript+XML+OWSPost Data Abhisek Datta (Dec 22)
  - Message not available
    - Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)