(MSIE)A rather old trick for web server is now played on MSIE.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)

[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 


[demo]
at 
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or 
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.swf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]



[exp]
MSIE generates a page to load a multimedia file instead of loading it 
directly. 
the automatically generated page for loading an SWF(the extension of a 
flash file) file contains URL of the SWF file -- without any encoding.

so the oldest XSS trick works on MSIE.

that's all.

[how]
(real show)

first, realize MS programmers are lazy(= "too busy") and they prefer to 
look wise, so you can doubt that they generate a page to load a multimedia 
file.
then, check it: i played a small trick: typing 
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on 
a JPG file because the URL is encoded properly.(that programmer must have 
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish. 
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.

(very few steps)

[more?]
this trick may work on other browsers, but i can't test it at present.

[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror 
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the 
school is really crazy). i'll have a 30-day holiday. i think it's enough 
to make a site showing tricks i know, why they work,how to exploit them, 
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.

[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux