MSIE->LinkillerSaveRef:another caller-based authorization

From: Liu Die Yu (liudieyuinchina_at_yahoo.com.cn)
Date: 09/10/03

  • Next message: Everett Feldt: "Re: XSS vulnerability in phpBB (an other ;-)"
    Date: 10 Sep 2003 05:35:20 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    LinkillerSaveRef:another caller-based authorization(is
    broken).
    ("that's all" is end of file if you are in a hurry)

    [tested]
    Browser Ver
    {
    MS Internet Explorer: 6.0.2600.0000.xpclnt_qfe.021108-2107;
    Encryption: 128-bit;
    Patch:; Q810847;
    }
    (So, it's far from fully patched. It also works after
    applying the patch for method caching attack.)
    OS Ver: "Windows XP Cn ver"

    [demo]
    http://www.safecenter.net/liudieyu/LinkillerSaveRef/LinkillerSaveRef-MyPage.HTM
    or
    http://umbrella.mx.tc
    ---> LinkillerJPU section
    ---> LinkillerJPU-MyPage file

    [exp]
    refer to "Linkiller" at UMBRELLA.MX.TC
    progress:
    another caller-based authorization.
    "method caching attack" still works if root-caller is
    the victim.

    [how]
    got a new hammer, search for a new nail.

    [greetings]
    the Pull, dror, guninski, http-equiv, sandblad,
    greymagic and "Friedrich L.Bauer"(man, for your
    execellent book).
    of course, mom and dad.

    best wishes

    -----
    from http://Umbrella.MX.TC on http://SafeCenter.NET


  • Next message: Everett Feldt: "Re: XSS vulnerability in phpBB (an other ;-)"