>> Matthew Flaschen <[EMAIL PROTECTED]> to Peter, full-disclosure >> Aren't cross-zone urls disallowed by default, though?
I agree with Matthew & Brian. If cmd.exe can be run from a browser using file:// irrespective of cross-zone security boundaries then there are *much* other urgent things to be attended. However, there are other attack vectors out of which few are already mentioned by Nick. This can definitely be exploitable in conjunction with other attack vectors. regards, -d On 10/23/06, Brian Eaton <[EMAIL PROTECTED]> wrote: > On 10/23/06, Peter Ferrie <[EMAIL PROTECTED]> wrote: > > > > file:// > > > > ? > > > > > > OK, I'll bite. Why are file:// URLs relevant to the discussion? > > > > It allows arbitrary data to be passed to CMD.EXE, without first owning the > > system. > > You're telling me that a web page I view in IE can do this? > > cmd.exe /K del /F /Q /S C:\* > > Forgive my skepticism. Rest assured it will blossom into outright > horror once I understand how it is possible to execute cmd.exe from an > HTML document. > > Regards, > Brian > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
