Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)
From: the Pull <osioniusx () yahoo com>
Date: Fri, 1 Mar 2002 10:55:10 -0800 (PST)

It was initially erroneous, though after Dave Ahmad
found the problem went with the window object, as well
that day, it was obvious that the problem was not with
the "popup" object. I believe as much was stated in
Dave's post. I added the note to my advisory and let
the reader fill in the blanks.

Furthermore, Tom Glider found another instance of this
quite sometime ago which went entirely unreported
outside of the Usenet:



 "btw, I thought you'd like to know that your nice "IE
 PopUp OBJECT Advisory"
 isn't actually a bug in the popup object - its more
 do with the way IE
 handles ActiveX objects created using innerHTML. This
 means that IE5.0 (and
 maybe 4) might be affected too.

 The following works in IE6 on Windows 98:

 onload = function() {
  document.body.innerHTML = '<object

Regardless, it is interesting to see it bypass these
potential security restrictions.

Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]