| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Oct 2003 10:51:32 -0600
From: "Brian Paulson" <bpaulson@...eftain.com>
To: <arachnid__notdot_net@...a.net.nz>, <bugtraq@...urityfocus.com>
Subject: RE: New IE crash: CSS + HTML
I tested this sending an HTML email into outlook and it crashed outlook
when the page was loaded into the preview.
Outlook version: version: 10.3513.3501 SP1
My IE Version also crashed version: 6.0.2800.1106.xpsp2.030422-1633
---------------------------------
Thank You
Brian Paulson
Sr. Web Developer
bpaulson@...eftain.com
www.chieftain.com
1-800-279-6397
---------------------------------
-----Original Message-----
From: arachnid__notdot_net@...a.net.nz
[mailto:arachnid__notdot_net@...a.net.nz]
Sent: Thursday, October 02, 2003 11:43 PM
To: bugtraq@...urityfocus.com
Subject: New IE crash: CSS + HTML
While designing a page today, I stumbled across a combination of HTML
and CSS that causes IE (6.0.2600.0000 on 2k v5.00.2195 and 6.0.3790 on
2k3 server v5.2.3790 are the only versions tested so far) to crash with
a GPF. After a little work, I distilled the required code down to this:
-----------------------------------------
<html>
<body>
<style type="text/css">
#three {
position: absolute;
}
#one #two {
position: absolute;
}
</style>
<div id="one">
In 'one'
<span id="two">
In 'two'
</div>
<div id="three">
In 'three'
</div>
</body>
-----------------------------------------
A bit of experimentation revealed the following:
The tag with id "one" can be any tag that is 'display: block' by
default. The tag with id "two" can be any tag that is 'display: inline'
by default. The tag with id "three" can be any tag at all, including non
container tags such as img. The tag with id "two" _must_ be left
unclosed. The selector must be "#one #two", simply selecting on #two
does not work.
I'll be the first to admit that this is a bit obscure (though I came
across it by accident) - it seems to have something to do with opening
an absolutely positioned block tag after an absolutely positioned inline
tag wasn't closed properly, but is more complicated than that. In
windows 2000, it also crashed explorer when I clicked on the file in in
a file dialog (due to the auto-preview).
A brief look at a debugger on the crashed IE instance reveals that the
address it crashes at is a RET instruction.
I leave it up to people with more talent than I to refine when it occurs
and why ;).
-Nick Johnson
Powered by blists - more mailing lists