i didn't notice you have disclosed this (or a very similar to it bug). besides me more than 5 people tested variations of the testcase and it worked for all of them.
can you comment on this testcases: http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo2.html http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo.html redirect1.pl is hosted on apache and is: ----------------------- #!/usr/bin/perl print "Location: http://georgi.df.ru/xml2.xml\r\n\r\n";; ----------------------- note: if the xml is not well formed, parseError returns at least one line of it, not to mention other exploit scenarios. -- georgi On Sat, Oct 09, 2004 at 03:28:25AM +0200, GreyMagic Security wrote: > >Georgi Guninski security advisory #71, 2004 > >http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html > > .. snip .. > > >By opening html in IE it is possible to read at least well formed xml from > >arbitrary servers. The info then may be transmitted. > > GreyMagic disclosed the EXACT same issue on August 2002, over two years ago. > Microsoft, at the time, took over 6 months to resolve the issue (initially > reported to them on Feb 2002) and eventually released a patch (MS02-047). > > See http://www.greymagic.com/security/advisories/gm009-ie/ for more details > and a live PoC (it also shows a neat method to get partial content from > documents that aren't well-formed xml). > > That said, all our tests of this issue currently throw an "Access denied" > exception, as they properly should. However, these tests are performed in > the Internet Zone. Your tests might have been performed in another zone that > had "Access data sources across domains" set to "Enabled," which would > enable this vulnerability by design. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
