[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030416032852.31393.qmail@www.securityfocus.com>
Date: 16 Apr 2003 03:28:52 -0000
From: Liu Die Yu <liudieyuinchina@...oo.com.cn>
To: bugtraq@...urityfocus.com
Subject: i cracked restriction of 'zone' in mozilla.
i cracked restriction of 'zone' in mozilla.
("that's all" is the end of file if you are in a hurry)
[tested]
OS:"Windows Server 2003"
NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN;
rv:1.0.1) Gecko/20020823 Netscape/7.0 "
(downloaded on "2003/3/31 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;
rv:1.3) Gecko/20030312"
(downloaded on "2003/4/1 UTC+800")
MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4a) Gecko/20030401"
(downloaded on "2003/4/15 UTC+800")
[demo]
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm
or
UMBRELLA.MX.TC ===> EdgeLink-MyPage section.
(disable Popup killer.)
[exp]
Mozilla does not wash links on the edge of transforming from one document
to another.
{0}before content of the next document is loaded & after the security ID
of current document is changed to the security ID of the next one(such
period exists.):
{1}links including their "onclick" property in current document remain
alive(=clickable).
{1.1}i can access my link if i have its reference.
now,i call its "onclick" via the reference of link:
{1.2}"onclick" is executed with security ID of the next page which is
going to be loaded.
(boring? "[demo-exp]" is easier.)
[demo-exp]
okay, this is easier. listen up:
task:
show "document.cookie" at "www.securityfocus.com", via "window.alert".
[*]our "LINK" page: it's in our 'zone' and contains a link with
onclick="alert(document.cookie)"
[*]"main" script lives in another page;
now, "main" script plays the trick:
open "LINK" page in another window - "mywin".
save the reference of the link in "LINK" page to "MyLink" variable.
tell "mywin" to go to "http://www.securityfocus.com/".
wait until the security ID changes
("security ID changes"<==>"main script is unable to get protected info"--
>"try{[Get protected info in mywin]}catch{[now, security ID is
changed.]}" )
call "MyLink.onclick()" *immediately*.
/*
we call that immediately, so the time is {0}(refer to "{0}" in "[exp]");
even though the security ID is changed to that
of "http://www.securityfocus.com", our link remains alive.{1}
even though the security ID is victim's id, main script still can
call "MyLink.onclick()".{1.1}
at last, {1.2}
*/
that's all.
[how]
from small beginnings come great things!
read:
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-How.htm
or
UMBRELLA.MX.TC ===> EdgeLink-How section.
if you are interested in how i got this in 5 hours after i downloaded
mozilla.
[people]
greetings to you all!
and thanx to
"the Pull", dror, bin, gean, dross, iainm, and always: mom and dad - for
their help.
[extra offer]
if you are browsing through web daily with MSIE, try:
http://liudieyuinchina.vip.sina.com/domex/aPoP
or
DOMEX.INT.TC ===> aPoP section.
(it's coded by me; i hope you like it :-) )
BTW,i'm very proud of my "PuriWeb" function in it.
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[contact]
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
Powered by blists - more mailing lists