|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD443@mailsrv1.jubii.dk> From: Thor Larholm <Thor@jubii.dk> To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com> Date: Fri, 17 May 2002 14:36:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" In my comments I wrote that the cssText vulnerability appeared to be patched. After further testing and research I will have to correct myself, as the issue is not patched at all. To sum it up: On February 18, GreyMagic discovered a vulnerability in the cssText property of imported stylesheets. After Microsoft had researched it for 44 days GreyMagic released their advisory on April 2. According to the MS02-023 bulletin released by Microsoft on May 15, this vulnerability should now be patched. However, using a simple HTTP redirect circumvents this new 'protection'. I seem not to be the only one who has discovered this fact. GreyMagic Software have updated their advisory on the cssText vulnerability and bundled a new example that works "post MS02-023", which can be found at http://sec.greymagic.com/adv/gm004-ie/ Regards Thor Larholm Jubii A/S - Internet Programmer
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |