Re: It didn't

[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ] [ Home ]

Subject: Re: It didn't
Name: tide
Date: 1/4/2002 3:51:13 AM (GMT-7)
IP Address: 213.180.166.102
In Reply to: It didn't posted by SickOfItAll
Message:

as long as this information or any file can not be sent back to the server...

there is a vulnerability in IE with getObject()

> > a=GetObject("http://"+location.host+"/../../../../../../test.txt","htmlfile");
> > ----------------------
> > It is funny that directory traversal on a http: URL leads to reading local files.
> >
> > Workaround/Solution:
> >
> > Disable Active Scripting and never turn it on.
> > Better, do not use IE in hostile environments such as the internet.
> >
> > Vendor status:
> >
> > Microsoft was notified on 11 December 2001.
> > They had 3 weeks to produce a patch but didn't.

[ View FollowUps | Post Followup | Main ]


[No follow-ups for this posting]

Post a Followup

Name:
E-Mail:

Subject:

Comments:

Optional Link URL:
Link Title:
Optional Image URL:
Upload some images for this post

[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ]