[WEB SECURITY] RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data

Gaurav Kumar gaurav at securebox.org
Thu Dec 22 03:15:41 EST 2005


>
> Not Exactly !! I wud rather suggest you to do a little more research and
> draw any conclusion. Keep those _Security Zones_ in mind before you post
> anything...
>
>
I did the research on Windows XP SP2

The script with ActiceX and XML was uploaded to
http://www.geocities.com/gaurav_e2/exp.html
The screenshot at the following URL shows the note.xml placed at C:\
while the ethereal is showing POSTing the data to attacker's site.

http://rapidshare.de/files/9619254/gaurav_kumar.JPG.html

Clearly geocities.com is in Internet zone.

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list