[20464] in bugtraq
Re: XML scripting in IE, Outlook Express
daemon@ATHENA.MIT.EDU (David LeBlanc)
Thu Apr 26 13:14:54 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 7bit
Message-ID: <00d201c0ce61$24a3fb90$0100a8c0@davenet.local>
Date: Thu, 26 Apr 2001 07:40:26 -0700
Reply-To: dleblanc@mindspring.com
From: David LeBlanc <dleblanc@mindspring.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3AE6DA5A.D0D8D5FE@guninski.com>
> From: Georgi Guninski
> Toni Lassila wrote:
> > > Workaround: I do not know of workaround but Microsoft
> claims updating
> > > WSH solves the issue.
> I continue to believe all versions of IE 5.x are vulnerable.
> A lot of people have missed the point of my advisory.
> On 20 April 2001 Microsoft released Ver. 2.0 of their
> security bulletin
> which seems to fix
> a bug but not this issue.
You're wrong.
I put your site in the restricted sites zone, which is where I run my
e-mail, and which is default for Outlook 2000 + security patch or Office XP.
Instead of having your demo pop up, I got:
Microsoft JScript runtime error Automation server can't create object line =
2, col = 0 (line is offset from the tag). Error returned from property or
method call. The XML page cannot be displayed.
I am running Win2k SP1 + IE 5.5 + the updated WSH.
I suppose it would be best to thoroughly test things instead of supposing
that this, that or the other version is vulnerable. I also suppose that
working with the vendor will help clarify the details of whether something
is or is not a problem under a given set of conditions, and further suppose
that these details being available and accurate might help people to respond
in an appropriate manner. Of course, that's supposing that one's objective
is to help people be more secure. I suppose that if someone had some other
objective, then they might behave differently.
Of course, supposing that the original poster does not take the time to test
thoroughly and preset accurate information that the astute denizens of this
list will certainly get to the bottom of the problem eventually.
