Who framed Internet Explorer.

[Euclid]

Taken from : GreyMagic Security Research ( http://sec.greymagic.com/news/ )

09-Sep-2002- Internet Explorer does it again. This time, sites that use frames or iframes are exposing their users to attacks. We discovered that it is possible for an attacker to execute script on any site that contains a frame or iframe element, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that with little effort, an attacker is able to read local files, execute arbitrary programs, steal cookies, forge site content and more.

Read the rest Here

[dev_ocean]

microsoft's motto: we'll, we'll rock you.(again and again and again.....

[cross]

read through that, and found it very interesting. Although besides reading certain files off of a vulerable server, what could possably be done here? I see that you can run code on there, what kind of code is it, and what kind of security problems does this make?

I am open to comments...

Have done some extensive testing on this and found it does not work correctly, or as stated. I have gotten it to work locally from the source, but fail to get it to work correctly remotely...

[micael]

What I can see is the code execution a variation of a old (several?) vulnerabilitie(s).

The danger could be if someone could plant a custom executable on the system. Or if its possible to pass switches to command utilities with this vulnerability. I could not start a program and pass switches to it with this vulnerability, but Im far from a programming expert and a skilled person may find a way to do this.

Similiar security flaws can be found in the following threads (and older threads aswell):

http://www.antionline.com/showthread...hreadid=233620
http://www.antionline.com/showthread...hreadid=233979

~micael