|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3220 CVE : CVE-2004-1331 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : Yes Credit : laurent gaffie Published : 14.10.2007
Advisory Text : playing for fun with <=IE7 Impact: who knows ... Fix Available: no ------------------------------------------------------- 1) Bug 2) Proof of concept 3)Conclusion ====== 1) Bug ====== it's possible to bypass the extension filter of <=IE7 this can result by downloading an arbitrary exe file ===== 2)proof of concept ===== let's take this exemple : http://dams083.free.fr/tmp/putty.exe this is simply putty . you click on this and then you will be prompted for downloading the file. but what about if we do : http://dams083.free.fr/tmp/putty.exe?1.txt ... the .exe is showed. now let's go a bit ahead : http://dams083.free.fr/tmp/putty.exe?1.cda wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player). works with theses extension : .log .dif .sol .htt .itpc .itms .dvr-ms .dib .asf .tif etc ... ===== 5) Conclusion ===== this is very funny , because actually it only works for .exe extensions. .COM , .PIF , etc you CANT do this. ( overwrite the extension , and then bypass the filter) i guess we can wonder what the heck. regards laurent gaffié  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |