[32576] in bugtraq
Note for "Invalid ContentType may disclose cache directory"
daemon@ATHENA.MIT.EDU (Liu Die Yu)
Tue Nov 25 17:31:13 2003
Date: 25 Nov 2003 10:06:21 -0000
Message-ID: <20031125100621.24588.qmail@sf-www2-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Liu Die Yu <liudieyuinchina@yahoo.com.cn>
To: bugtraq@securityfocus.com
Note for "Invalid ContentType may disclose cache directory"
This vulnerability("Invalid ContentType may disclose cache directory") doesn't work on all systems.
("Invalid ContentType may disclose cache directory", at http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
Please note that execdror6 and LocalZoneInCache also depends on this vulnerability.
(execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about it:
First, The code was verified to work on a WinXp system(Simplified Chinese version) with all patches.
Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the Pull for testing:
It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't work on the Pull's Win2k system.
(because he set killbit for Adodb.Stream activeX object.)
Soon after that, HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with the latest IE patch).
Then, to figure out what happened, i formatted disk and installed Win2k3 and WinXp(both Simplified Chinese version) and then applied the latest IE patch.
Both remote compromise cases(LocalZoneInCache and execdror6) don't work any more.
At last, i reproduced both remote compromise cases on MSIEv6 running on Simplified Chinese WinXp with the following patches:
SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)
If you are using IE, please help me test it and send the result directly to my emailbox.
Thanx in advance.
