[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Note for "Invalid ContentType may disclose cache directory"
- To: bugtraq@securityfocus.com
- Subject: Note for "Invalid ContentType may disclose cache directory"
- From: Liu Die Yu <liudieyuinchina@yahoo.com.cn>
- Date: 25 Nov 2003 10:06:21 -0000
Note for "Invalid ContentType may disclose cache directory"
This vulnerability("Invalid ContentType may disclose cache directory") doesn't
work on all systems.
("Invalid ContentType may disclose cache directory", at
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
Please note that execdror6 and LocalZoneInCache also depends on this
vulnerability.
(execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about it:
First, The code was verified to work on a WinXp system(Simplified Chinese
version) with all patches.
Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the Pull for
testing:
It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't work on the
Pull's Win2k system.
(because he set killbit for Adodb.Stream activeX object.)
Soon after that, HTTP-EQUIV found it does not work on his WinXp system(2-3
weeks old, with the latest IE patch).
Then, to figure out what happened, i formatted disk and installed Win2k3 and
WinXp(both Simplified Chinese version) and then applied the latest IE patch.
Both remote compromise cases(LocalZoneInCache and execdror6) don't work any
more.
At last, i reproduced both remote compromise cases on MSIEv6 running on
Simplified Chinese WinXp with the following patches:
SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)
If you are using IE, please help me test it and send the result directly to my
emailbox.
Thanx in advance.