[20443] in bugtraq
Re: XML scripting in IE, Outlook Express
daemon@ATHENA.MIT.EDU (Leif Sawyer)
Thu Apr 26 00:44:36 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Message-ID: <BF9651D8732ED311A61D00105A9CA3150446DB8C@berkeley.gci.com>
Date: Wed, 25 Apr 2001 08:45:49 -0800
Reply-To: Leif Sawyer <lsawyer@GCI.COM>
From: Leif Sawyer <lsawyer@GCI.COM>
X-To: Georgi Guninski <guninski@GUNINSKI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> From: Georgi Guninski writes:
>
> I continue to believe all versions of IE 5.x are vulnerable.
> A lot of people have missed the point of my advisory.
> On 20 April 2001 Microsoft released Ver. 2.0 of their
> security bulletin which seems to fix a bug but not this issue.
>
> To check whethere you are vulnerable to this issue:
> 1. Disable Active Scripting for the Internet Zone (in case
> www.guninski.com is in the Internet Zone for you).
> 2. Go to http://www.guninski.com/xstyle.eml or to
> http://www.guninski.com/xstyle.xml
> 3. If you see a message box "This is VBscript" then you are
> vulnerable because this message is produced by active scripting
> which is disabled in (1).
> 4. Worse, this works from email at least in Outlook Express.
>
Internet->Options->Security->Internet Zone
set to medium-low, then customized all scripting to "prompt"
Windows 2K SP1
I.E. 6.00.2462.0000 128bit beta preview
Prompts to enable scripting before loading the page, as well as prompting
for enabling
any active scripting. Clicking *no* on any of these causes the page to error
out:
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the
error and then
click the Refresh button, or try again later.
----------------------------------------------------------------------------
----
Unspecified error
And if I say yes to the first prompt, i get additional prompts when the
IFRAME is loaded
in the xstyle.eml page.
So it looks like M$ is getting closer to being able to control the problem.
The only
disadvantage is that I don't get a chance to see anything on the page (with
scripts disabled)
Of course, I can always say 'yes'...
