Media Preview Script Execution Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Media Preview Script Execution Vulnerability
From: Paul <paul@xxxxxxxxxxxxxxxx>
Date: 11 Jul 2004 15:55:00 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Note: This vulnerability as well as several more can be found at 
http://www.geryhats.cjb.net

Media Preview Script Execution Vulnerability 

[Tested]
MSDXM.DLL file version 6.4.09.1128
Microsoft Windows 2000 

[Discussion]
By using the windows media player control, media can be played in a browser, 
including asx files, which is just a playlist of media. If one of these files 
on the list is a weird protocol like javascript:, it will be executed in the 
zone of the page that called it. At first, this seems to be a small problem. 
However, on windows 2000, media can be previewed on a panel to the left if the 
media file is in a local directory and the user clicks on it. The panel uses 
the windows media player control to preview the media. If a user clicks on a 
specially-crafted asx file, javascript will be executed in the local zone. 

The example is a vulnerable asx file which, when clicked in explorer, will 
display a messagebox wiith the location of the directory.

Note: The asx file must be opened in the media player control. It will not work 
if opened in windows media player itself.

[Example]
http://freehost07.websamba.com/greyhats/asxvuln.htm

Prev by Date: MSOE Javascript Execution Vulnerability
Next by Date: MSIE Download Window Filename + Filetype Spoofing Vulnerability
Previous by thread: Re: MSOE Javascript Execution Vulnerability
Next by thread: I small poem in JScript
Index(es):
- Date
- Thread