>>Firefox doesn't support ANI files for cursors. If the exploitation
method was so obvious, we would already have Firefox exploits in the
wild, wouldn't we?
I don't know. I'll have to think about how else you would get it to use
an ANI. There's no Flash involved, is there?
>>Maybe the url should be in quites? This works for me:
>><body style="CURSOR: url('foo.ani')">
It's actually supposed to work with or without quotes I think and I've
tried a dozen variants and yours here. No luck. The cursors are straight
out of c:\windows\cursors. I'll try it in the morning.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
