[20457] in bugtraq
Re: XML scripting in IE, Outlook Express
daemon@ATHENA.MIT.EDU (Farley, Tim (ISSAtlanta))
Thu Apr 26 04:18:52 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Message-ID: <7783A141C794D4118AAA00306E00B0B1E212B9@msgatl06.iss.net>
Date: Wed, 25 Apr 2001 13:07:48 -0400
Reply-To: "Farley, Tim (ISSAtlanta)" <TFarley@ISS.NET>
From: "Farley, Tim (ISSAtlanta)" <TFarley@ISS.NET>
X-To: Georgi Guninski <guninski@GUNINSKI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> I continue to believe all versions of IE 5.x are vulnerable.
> A lot of people have missed the point of my advisory.
> On 20 April 2001 Microsoft released Ver. 2.0 of their
> security bulletin which seems to fix a bug but not this issue.
>
> To check whethere you are vulnerable to this issue:
> 1. Disable Active Scripting for the Internet Zone (in case
> www.guninski.com is in
> the Internet Zone for you).
> 2. Go to http://www.guninski.com/xstyle.eml or to
> http://www.guninski.com/xstyle.xml
> 3. If you see a message box "This is VBscript" then you are
> vulnerable because this message is produced by active
> scripting which is disabled in (1).
> 4. Worse, this works from email at least in Outlook Express.
I am afraid I must agree with Toni and contradict you.
I followed the exact procedure you describe above, and my copy of IE 5.5
does NOT appear to be vulnerable. Instead of a message box, I get this in
the browser window:
----------------------------------------------------------------------------
----
Microsoft JScript runtime error Automation server can't create object line =
2, col = 0 (line is offset from the tag). Error returned from property or
method call. The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and
then click the Refresh button, or try again later.
Microsoft JScript runtime error Automation server can't create object line =
2, col = 0 (line is offset from the tag). Error returned from property or
method call.
----------------------------------------------------------------------------
----
(That text appears inside an IFRAME for the .EML variation).
I am running the following:
NT 4.0 SP6a
IE 5.5.4522.1800
Updates: SP1, Q279328, Q261255 (and maybe others but the about box truncates
this list).
WSCRIPT.EXE 5.1.0.4615
MSXML.DLL 8.00.5226.0
I have just about everything set to "Disabled" in my Internet zone.
Let me know if you need other version or configuration information.
=====================================
MY PHONE NUMBERS HAVE CHANGED! PLEASE MAKE NOTE OF THE NEW ONES BELOW.
=====================================
Tim Farley
Senior Researcher
Internet Security Systems
tfarley@iss.net
(404) 236-2600 / Direct Dial (404) 236-2873 / fax (404) 236-2624
http://www.iss.net
Internet Security Systems - The Power to Protect
=====================================
