Here, let's make the rendering issue simple: Due to IE being so content help-happy there are a myriad of IE-friend file types (e.g.-.jpg) that one can simply rename a metafile to for purpose of web exploitation, and IE will pull out the wonderful hey; you're-not-a-jpeg-you're-a-something-else-that-I-can- -automatically-handle trick err /feature/ for you. Windows Explorer/My Computer preview/thumbnail thingy=IE for purposes of rendering engine. Stocking Stuffer Sploit-use Samples: http://sharepoint2003/bizdir/your_custom_folder_icon.jpg http://yourcorp_web_based_DMS/surprise_not_a.doc etc. For your experimentation pleasure, I have benign JPEGs and one WMF with modified extension names found here: http://www.anachronic.com/xss/ Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc candy is a JPEG also renamed doc, and win32api is a JPEG renamed to wmf. Mix and match to your hearts content. <obvious> http://www.anachronic.com/xss/skatebrd.wmf = http://www.anachronic.com/xss/statebrd.jpg and http://www.anachronic.com/xss/win32api.jpg = http://www.anachronic.com/xss/win32api.wmf and so on and so forth. These are only posted for those of you who need to make this RealSimple(tm) to someone, or validate what things do auto/magicbyte rendering. </obvious> You may reach me by using my first name at the domain listed in the links above with threats, complaints, or creative uses for the WMF rendering issue. Merry Metafiling, -ae
