mailing list archives
Re: Yet another IE aperture
From: Georgi Guninski <guninski () guninski com>
Date: Sat, 9 Oct 2004 12:58:15 +0300
i didn't notice you have disclosed this (or a very similar to it bug).
besides me more than 5 people tested variations of the testcase and it worked
for all of them.
can you comment on this testcases:
redirect1.pl is hosted on apache and is:
print "Location: http://georgi.df.ru/xml2.xml\r\n\r\n";
note: if the xml is not well formed, parseError returns at least one line of
it, not to mention other exploit scenarios.
On Sat, Oct 09, 2004 at 03:28:25AM +0200, GreyMagic Security wrote:
Georgi Guninski security advisory #71, 2004
.. snip ..
By opening html in IE it is possible to read at least well formed xml from
arbitrary servers. The info then may be transmitted.
GreyMagic disclosed the EXACT same issue on August 2002, over two years ago.
Microsoft, at the time, took over 6 months to resolve the issue (initially
reported to them on Feb 2002) and eventually released a patch (MS02-047).
See http://www.greymagic.com/security/advisories/gm009-ie/ for more details
and a live PoC (it also shows a neat method to get partial content from
documents that aren't well-formed xml).
That said, all our tests of this issue currently throw an "Access denied"
exception, as they properly should. However, these tests are performed in
the Internet Zone. Your tests might have been performed in another zone that
had "Access data sources across domains" set to "Enabled," which would
enable this vulnerability by design.
Full-Disclosure - We believe in it.