Home page logo
/

bugtraq logo Bugtraq mailing list archives

MSIE:"SaveRef" cracks "(VictimWindow).document.write"
From: Liu Die Yu <liudieyuinchina () yahoo com cn>
Date: 21 Oct 2002 14:16:36 -0000



[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"

[digest]
MSIE: you can always call "(VictimWindow).document.write" regardless its 
zone if you have its reference.
(please read "[more?]" section; i think it's important.)

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 
Win98

[demo]
at 
http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW
rite-MyPage.htm
or 
clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.

[exp]
save the reference of "(NewWindow).document.write" when the zone 
of "(NewWindow)" is yours. then you can call it via reference even if its 
zone is not yours.

simple, that's all.

[more?]
i've read some doc about COM(Component Object Modal) at MSDN.
MSDN says
"The server is primarily responsible for security¬óthat is, for the most 
part, the server determines whether it will provide a pointer to one of 
its objects to a client"
(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/com/comext_99df.asp")
this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i 
guess the patch just plants a "security checker" in "window.document" . 

but method-SaveRef is not that easy to patch since there are so many 
methods in so many objects in so many APPLICATIONS(not only MSIE).
"SaveRef" may end up turning M$ off? ;)

i don't know. please tell me your opinion via email.
(my physical work is all over,so reply in 24 hours)

[contact]
liudieyuinchina () yahoo com cn
or
clik.to/liudieyu ===> "how to contact liu die yu" section


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]