Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Media Preview Script Execution Vulnerability

Media Preview Script Execution Vulnerability

From: Paul <paul_at_greyhats.cjb.net>
Date: 11 Jul 2004 15:55:00 -0000
('binary' encoding is not supported, stored as-is) Note: This vulnerability as well as several more can be found at http://www.geryhats.cjb.net

Media Preview Script Execution Vulnerability

[Tested]
MSDXM.DLL file version 6.4.09.1128
Microsoft Windows 2000

[Discussion]
By using the windows media player control, media can be played in a browser, including asx files, which is just a playlist of media. If one of these files on the list is a weird protocol like javascript:, it will be executed in the zone of the page that called it. At first, this seems to be a small problem. However, on windows 2000, media can be previewed on a panel to the left if the media file is in a local directory and the user clicks on it. The panel uses the windows media player control to preview the media. If a user clicks on a specially-crafted asx file, javascript will be executed in the local zone.

The example is a vulnerable asx file which, when clicked in explorer, will display a messagebox wiith the location of the directory.

Note: The asx file must be opened in the media player control. It will not work if opened in windows media player itself.

[Example]
http://freehost07.websamba.com/greyhats/asxvuln.htm
Received on Jul 12 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]