From: knitti (lists2k3@t-base71.no-ip.org)
To: full-disclosure@lists.netsys.com
Date: Sat, 30 Aug 2003 03:38:43 +0200
Subject: Re: [Full-Disclosure] Selfmade worms in the wild ;)


more fun:

why didn't you try:
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=55756&VName=WORM_MSBLAST.%3Cscript%20type='text/javascript'%3Ealert('boo!')%3C/script%3E

i think one can pass almost any xss there

(citing http://www.trendmicro.com/en/about/profile/overview.htm :
  "Trend Micro Incorporated is a global leader in antivirus and Internet
  content security software and services....")

do they test their "internet content security software" on their own
pages?


greetz
knitti



From: morning_wood (se_cur_ity@hotmail.com)
To: Redaktion-Kryptocrew (momolly@kryptocrew.de), full-disclosure@lists.netsys.com
Date: Sat, 30 Aug 2003 03:14:03 -0700
Subject: Re: [Full-Disclosure] Selfmade worms in the wild ;)

well... lets see, we could make it an untrusted link by

"
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=55756&
VName=WORM_MSBLAST. "

and include some remote javascript of our choice, or the latest IE ADODB explot.
the obvious choice for that would be the classic..

http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=55756&
VName=WORM_MSBLAST.

for everones info, the above was tested with the ADODB exploit to execute
remote code... sucessfully i might add. ( unpatched IE )

this goes to show that XSS is still very much a security concern, especially
coupled together with the lastest browser exploit to become a very dangerous
vector of attack, especially by way of a previously "trusted" URL.

this is not looking real good for trend.

good job Mo 8-)

morning_wood
http://exploitlabs.com
http://e2-labs.com