Home Mail Chat Wallpapers
Go Back   ChiefsPlanet > The Lounge

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 12-17-2004, 12:14 PM   Topic Starter
Mr. Laz Mr. Laz is offline
Don't Tease Me
 
Mr. Laz's Avatar
 
Join Date: Dec 2000
Location: KS
Casino cash: $1047137
Tech: IE security exploit (even with patched system)

Internet Explorer Cross-Site Scripting Vulnerability Test

http://secunia.com/internet_explorer...rability_test/

Secunia Advisory: SA13482
Release Date: 2004-12-16

Critical: Moderately critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Paul has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks.

The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

http://secunia.com/internet_explorer...rability_test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

Solution:
Set security level to high for the "Internet" zone (disable ActiveX support).

Provided and/or discovered by:
Paul (from greyhats)


Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Introduction


Paul has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct sophisticated cross-site scripting attacks against any web site.

Please see the test below for an example of how this vulnerability can be exploited.

Click the link below in order to test whether or not your system is vulnerable. The test will open a new window, where the address bar writes "https://www.paypal.com/", but the page is actually displaying content from Secunia.

Please note: If you wish to run the test multiple times, then please refresh this page before each test.


Result
You are vulnerable, if a new window is opened displaying a Secunia page, but the address bar is displaying "https://www.paypal.com/".


What should you do?

Please view the appropriate Secunia advisory for information about how you can fix or mitigate the impact of this vulnerability. The Secunia advisory will be updated when the vendor issue patches.

View the Secunia advisory regarding your browser:
- [SA13482] Internet Explorer 6.0

In order to protect yourself, it is a very good idea to stay informed about the latest threats from vulnerabilities in the software you are using.

Secunia offers a free weekly newsletter, which covers the latest threats from vulnerabilities.

To sign-up for the Secunia Weekly Summary, please enter your email address in the field below and submit the form:
Posts: 95,626
Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.
  Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 01:00 PM.


This is a test for a client's site.
Fort Worth Texas Process Servers
Covering Arlington, Fort Worth, Grand Prairie and surrounding communities.
Tarrant County, Texas and Johnson County, Texas.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.