Exploiting cross-domain scripting vulnerabilities?
From: Alla Bezroutchko (alla@scanit.be)Date: 08/22/02
- Previous message: Stan Bubrouski: "Re: exploiting printers, home routers & smb routers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Aug 2002 13:54:44 +0200 From: Alla Bezroutchko <alla@scanit.be> To: vuln-dev@securityfocus.com
Hello all,
Quite a few browser vulnerabilities (BugTraq ID 5473 - Web Folders HTML
injection - being the latest) allow a web site to execute HTML code in
"Local Computer" security zone. At least those bugs allow a web site to
read local files. My question is: is there anythign else you can do with
this type of bug? Like running arbitrary commands?
Usually you have a piece of text of limited size that you can inject.
This rules out Java applets as far as I understand. Wscript.Shell
ActiveX control also seems to be a problem because IE shows a dialog box
saying something about unsafe ActiveX controls. So is there anything
else interesting one can do with cross-domain scripting?
Alla.
- Previous message: Stan Bubrouski: "Re: exploiting printers, home routers & smb routers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
