[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Note for "Invalid ContentType may disclose cache directory"
From:       Liu Die Yu <liudieyuinchina () yahoo ! com ! cn>
Date:       2003-11-25 10:06:21
[Download RAW message or body]



Note for "Invalid ContentType may disclose cache directory"

This vulnerability("Invalid ContentType may disclose cache directory") doesn't work \
on all systems. ("Invalid ContentType may disclose cache directory", at \
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/) Please note that execdror6 \
and LocalZoneInCache also depends on this vulnerability. (execdror6: \
                http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about it:

First, The code was verified to work on a WinXp system(Simplified Chinese version) \
with all patches. Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the \
Pull for testing: It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't \
work on the Pull's Win2k system. (because he set killbit for Adodb.Stream activeX \
object.) Soon after that,  HTTP-EQUIV found it does not work on his WinXp system(2-3 \
weeks old, with the latest IE patch). Then, to figure out what happened, i formatted \
disk and installed Win2k3 and WinXp(both Simplified Chinese version) and then applied \
the latest IE patch. Both remote compromise cases(LocalZoneInCache and execdror6) \
don't work any more. At last,  i reproduced both remote compromise cases on MSIEv6 \
running on Simplified Chinese WinXp with the following patches: \
SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)

If you are using IE, please help me test it and send the result directly to my \
emailbox. Thanx in advance.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic