This is Adi Cohen's TypePad Profile.
Join TypePad and start following Adi Cohen's activity
Adi Cohen
Recent Activity
Hi Nick,
That's a great catch.
This could allow for a file with the following name to exist:
a/a.txt" .html
When a user double-click this file, the registered application will get access to a file named 'a.txt' under a folder named 'a'.
The attached image shows this scenario.
http://img821.imageshack.us/img821/8010/36262549.png
Updated machines will not accept a file whose name contains a double-quote sign.
Therefore breaking out of the string surrounding the path in order to add arguments or just truncate the path string itself (used in the example above) will not work.
However, it is possible to use the following file name:
a/a.html
To produce a case where patched systems will still open the file 'a.html' under the folder 'a' instead of the real file.
Commented Jul 17, 2012 on Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175) at IBM Application Security Insider
Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175)
CVE-2012-0175 Background Windows File Association allows an application to define a handler that should be called for each operation on a specific file type. For example, WinRAR registers the file type .RAR in the following manner: The Open action defined for this file type dictates how the ha...
Very nice, I suspected this could be possible but haven't got around to it. thanks for sharing
Commented Jul 17, 2012 on Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175) at IBM Application Security Insider
Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175)
CVE-2012-0175 Background Windows File Association allows an application to define a handler that should be called for each operation on a specific file type. For example, WinRAR registers the file type .RAR in the following manner: The Open action defined for this file type dictates how the ha...
Adi Cohen is now following IBM Application Security Insider
Jul 10, 2012
toStaticHTML: The Second Encounter (CVE-2012-1858)
HTML Sanitizing Bypass - CVE-2012-1858 Introduction The toStaticHTML component, which is found in Internet Explorer > 8, SharePoint and Lync is used to sanitize HTML fragments from dynamic and potentially malicious content. If an attacker is able to break the... Continue reading
Posted Jul 10, 2012 at IBM Application Security Insider
Comment
1
Microsoft Anti-XSS Library Bypass (MS12-007)
Introduction: Microsoft Anti-XSS Library is used to protect applications from Cross-Site Scripting attacks, by providing methods for input sanitization. Vulnerability: Microsoft Anti-XSS Library 3.0 and 4.0 are vulnerable to an attack in which an attacker is able to create a... Continue reading
Posted Jan 19, 2012 at IBM Application Security Insider
Comment
2
Adi Cohen is now following The Typepad Team
Oct 6, 2011
Subscribe to Adi Cohen’s Recent Activity
0 Favorites
Blogs and Sites
Around The Web
