Home page logo

bugtraq logo Bugtraq mailing list archives

Re: MSIE:"SaveRef" cracks "(VictimWindow).document.write"
From: "jelmer" <jelmer () kuperus xs4all nl>
Date: Mon, 21 Oct 2002 18:38:22 +0200

It throws a permission denied exception on my MSIE 6 SP1 + all patches in
MSIE 6.0.2600.0000 is way old


----- Original Message -----
From: "Liu Die Yu" <liudieyuinchina () yahoo com cn>
To: <bugtraq () securityfocus com>
Sent: Monday, October 21, 2002 4:16 PM
Subject: MSIE:"SaveRef" cracks "(VictimWindow).document.write"

[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"

MSIE: you can always call "(VictimWindow).document.write" regardless its
zone if you have its reference.
(please read "[more?]" section; i think it's important.)

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}


clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.

save the reference of "(NewWindow).document.write" when the zone
of "(NewWindow)" is yours. then you can call it via reference even if its
zone is not yours.

simple, that's all.

i've read some doc about COM(Component Object Modal) at MSDN.
MSDN says
"The server is primarily responsible for security-that is, for the most
part, the server determines whether it will provide a pointer to one of
its objects to a client"
(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i
guess the patch just plants a "security checker" in "window.document" .

but method-SaveRef is not that easy to patch since there are so many
methods in so many objects in so many APPLICATIONS(not only MSIE).
"SaveRef" may end up turning M$ off? ;)

i don't know. please tell me your opinion via email.
(my physical work is all over,so reply in 24 hours)

liudieyuinchina () yahoo com cn
clik.to/liudieyu ===> "how to contact liu die yu" section

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]