| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040717030657.31326.qmail@www.securityfocus.com> Date: 17 Jul 2004 03:06:57 -0000 From: Paul <paul@...yhats.cjb.net> To: bugtraq@...urityfocus.com Subject: MSIE Overly Trusted Location Variant Method Cache Vulnerability This vulnerability as well as many more can be found at http://www.greyhats.cjb.net Overly Trusted Location Variant Method Cache Vulnerability [Tested] IEXPLORE.EXE file version 6.0.2800.1106 MSHTML.DLL file version 6.00.2800.1400 Microsoft Windows XP sp1 [Discussion] Apparently, Internet Explorer trusts the location variant way too much when it comes to method cache. As Thor Larholm pointed out to me, it isnt a problem of similar method name redirection, but a problem with the location variant. I have created a new vulnerability to demonstrate this. EvilChild creates a child popup on a new window. Then it redirects the page. As it's loading, the popup is shown and saves the ref of parent.window.open to location.cache. As soon as the evil child popup cannot access the parent.document, an error handler is fired calling parent.window.open to load javascript into the main window. Example can be found at http://freehost07.websamba.com/greyhats/evilchild.htm
Powered by blists - more mailing lists