Home page logo

bugtraq logo Bugtraq mailing list archives

MSIE:"SaveRef" cracks "(VictimWindow).document.write"
From: Liu Die Yu <liudieyuinchina () yahoo com cn>
Date: 21 Oct 2002 14:16:36 -0000

[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"

MSIE: you can always call "(VictimWindow).document.write" regardless its 
zone if you have its reference.
(please read "[more?]" section; i think it's important.)

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 

clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.

save the reference of "(NewWindow).document.write" when the zone 
of "(NewWindow)" is yours. then you can call it via reference even if its 
zone is not yours.

simple, that's all.

i've read some doc about COM(Component Object Modal) at MSDN.
MSDN says
"The server is primarily responsible for security¬óthat is, for the most 
part, the server determines whether it will provide a pointer to one of 
its objects to a client"
(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i 
guess the patch just plants a "security checker" in "window.document" . 

but method-SaveRef is not that easy to patch since there are so many 
methods in so many objects in so many APPLICATIONS(not only MSIE).
"SaveRef" may end up turning M$ off? ;)

i don't know. please tell me your opinion via email.
(my physical work is all over,so reply in 24 hours)

liudieyuinchina () yahoo com cn
clik.to/liudieyu ===> "how to contact liu die yu" section

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]