[13389] in bugtraq
Re: IIS still revealing paths for web directories
daemon@ATHENA.MIT.EDU (Norbert Luckhardt)
Mon Jan 17 18:58:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.58.20000115211026.00adc100@pop.heise.de>
Date: Sat, 15 Jan 2000 21:32:01 +0100
Reply-To: Norbert Luckhardt <nl@CT.HEISE.DE>
From: Norbert Luckhardt <nl@CT.HEISE.DE>
X-To: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <387DA495.3E1C502C@nat.bg>
Hello out there,
At 11:10 13.01.00 , Georgi Guninski wrote:
>This leads to a client side problem also.
>The problem is IIS does not escape the response, so one may put some
>HTML and javascript in the page returned from www.microsoft.com.
>Vulnerabilities:
>1) For IE (tested on 5.01, probably other versions) - if the user has
>put www.microsoft.com in the Trusted sites security zone, then hostile
>javascript and ActiveX may be executed in the Trusted sites security
>zone.
even if You mind to see <anyhost>.microsoft.com as a trusted site - it also
works with the update host where You need more rights to use it :-(
http://windowsupdate.microsoft.com/%3CIMG%20SRC=javascript:alert("Insecurity
starts here!\nwindow.location:"+window.location)%3E.ida
[URL probably wrapped]
this also works with IE (5.0 DE) and IMG SRC - I do not have to reload the
page (I guess it's because of the last IE Bug Georgi found - IE starts it
in the security context of the previuosly used page - when pasting the URL
in the location field it does not start when the previous URL was not able
to execute JS)
more over: the <P>-URL puts up the dialog again immediately after closing
the box, so that You have to kill IE...
http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location
:"+window.location))%3E.ida
[URL probably wrapped]
have secure fun, Shalom dann,
NOrbert
--
Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/
Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417
Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301
