|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: IIS still revealing paths for web directories
Subject: Re: IIS still revealing paths for web directories
From: Norbert Luckhardt (nl
CT.HEISE.DE)
Date: Sat Jan 15 2000 - 14:32:01 CST
- Next message: vecna: "usual iploggers miss some variable stealth scans"
- Previous message: David Kennedy CISSP: "Announce: BOF on Distributed DoS, San Jose 1/18/00"
- In reply to: Georgi Guninski: "Re: IIS still revealing paths for web directories"
- Next in thread: Eric.StevensAVENTIS.COM: "Re: IIS still revealing paths for web directories"
- Reply: Norbert Luckhardt: "Re: IIS still revealing paths for web directories"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello out there,
At 11:10 13.01.00 , Georgi Guninski wrote:
>This leads to a client side problem also.
>The problem is IIS does not escape the response, so one may put some
>HTML and javascript in the page returned from www.microsoft.com.
>Vulnerabilities:
>1) For IE (tested on 5.01, probably other versions) - if the user has
>put www.microsoft.com in the Trusted sites security zone, then hostile
>javascript and ActiveX may be executed in the Trusted sites security
>zone.
even if You mind to see <anyhost>.microsoft.com as a trusted site - it also
works with the update host where You need more rights to use it :-(
http://windowsupdate.microsoft.com/%3CIMG%20SRC=javascript:alert("Insecurity
starts here!\nwindow.location:"+window.location)%3E.ida
[URL probably wrapped]
this also works with IE (5.0 DE) and IMG SRC - I do not have to reload the
page (I guess it's because of the last IE Bug Georgi found - IE starts it
in the security context of the previuosly used page - when pasting the URL
in the location field it does not start when the previous URL was not able
to execute JS)
more over: the <P>-URL puts up the dialog again immediately after closing
the box, so that You have to kill IE...
http://www.microsoft.com/%3CP%20style=left:expression(alert("window.location
:"+window.location))%3E.ida
[URL probably wrapped]
have secure fun, Shalom dann,
NOrbert
-- Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/ Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417 Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301
- Next message: vecna: "usual iploggers miss some variable stealth scans"
- Previous message: David Kennedy CISSP: "Announce: BOF on Distributed DoS, San Jose 1/18/00"
- In reply to: Georgi Guninski: "Re: IIS still revealing paths for web directories"
- Next in thread: Eric.StevensAVENTIS.COM: "Re: IIS still revealing paths for web directories"
- Reply: Norbert Luckhardt: "Re: IIS still revealing paths for web directories"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Jan 17 2000 - 20:25:44 CST