Note for "Invalid ContentType may disclose cache directory"
Note for "Invalid ContentType may disclose cache directory"
This vulnerability("Invalid ContentType may disclose cache directory") doesn't
work on all systems.
("Invalid ContentType may disclose cache directory", at
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
Please note that execdror6 and LocalZoneInCache also depends on this
vulnerability.
(execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about it:
First, The code was verified to work on a WinXp system(Simplified Chinese
version) with all patches.
Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the Pull for
testing:
It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't work on the
Pull's Win2k system.
(because he set killbit for Adodb.Stream activeX object.)
Soon after that, HTTP-EQUIV found it does not work on his WinXp system(2-3
weeks old, with the latest IE patch).
Then, to figure out what happened, i formatted disk and installed Win2k3 and
WinXp(both Simplified Chinese version) and then applied the latest IE patch.
Both remote compromise cases(LocalZoneInCache and execdror6) don't work any
more.
At last, i reproduced both remote compromise cases on MSIEv6 running on
Simplified Chinese WinXp with the following patches:
SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)
If you are using IE, please help me test it and send the result directly to my
emailbox.
Thanx in advance.