Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)

[the Pull <osioniusx () yahoo com>]

It was initially erroneous, though after Dave Ahmad
found the problem went with the window object, as well
that day, it was obvious that the problem was not with
the "popup" object. I believe as much was stated in
Dave's post. I added the note to my advisory and let
the reader fill in the blanks.

Furthermore, Tom Glider found another instance of this
quite sometime ago which went entirely unreported
outside of the Usenet:

 
http://groups.google.com/groups?hl=en&threadm=3C659F91.EAA0913C%40bn.com&rnum=4&prev=/groups%3Fq%3DTom%2Bgroup:alt.fan.cult-dead-cow%26hl%3Den%26scoring%3Dd%26selm%3D3C659F91.EAA0913C%2540bn.com%26rnum%3D4

 Quote:

 "btw, I thought you'd like to know that your nice "IE
 PopUp OBJECT Advisory"
 isn't actually a bug in the popup object - its more
to
 do with the way IE
 handles ActiveX objects created using innerHTML. This
 means that IE5.0 (and
 maybe 4) might be affected too.

 The following works in IE6 on Windows 98:

 <html>
 <script>
 onload = function() {
  document.body.innerHTML = '<object
 classid="CLSID:11111111"
 codebase="c:/windows/notepad.exe"></object>';
 }
 </script>
 </html>"

Regardless, it is interesting to see it bypass these
potential security restrictions.


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com