Subject: Re: It didn't
Name:
tide Date: 1/4/2002 3:51:13 AM (GMT-7)
IP Address: 213.180.166.102 In Reply to: It didn't posted by
SickOfItAll Message:
as long as this information or any file can not be sent back to the server...
there is a vulnerability in IE with getObject()
> > a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");
> > ----------------------
> > It is funny that directory traversal on a http: URL leads to reading local files.
> >
> > Workaround/Solution:
> >
> > Disable Active Scripting and never turn it on.
> > Better, do not use IE in hostile environments such as the internet.
> >
> > Vendor status:
> >
> > Microsoft was notified on 11 December 2001.
> > They had 3 weeks to produce a patch but didn't.
|