lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003401c38ae5$98fdf570$90e9c318@ath.cx>
From: bscabl at nycap.rr.com (bscabl)
Subject: Fw: New IE crash: CSS + HTML

also confirmed in XP sp1

Faulting application iexplore.exe, version 6.0.2800.1106, faulting module
mshtml.dll, version 6.0.2800.1226, fault address 0x0011475e.



----- Original Message -----
From: <arachnid__notdot_net@...a.net.nz>
Newsgroups: muc.lists.bugtraq
Sent: Friday, October 03, 2003 11:59 AM
Subject: New IE crash: CSS + HTML


> While designing a page today, I stumbled across a combination of HTML and
CSS
> that causes IE (6.0.2600.0000 on 2k v5.00.2195 and 6.0.3790 on 2k3 server
> v5.2.3790 are the only versions tested so far) to crash with a GPF. After
a
> little work, I distilled the required code down to this:
>
> -----------------------------------------
> <html>
> <body>
> <style type="text/css">
> #three {
> position: absolute;
> }
> #one #two {
> position: absolute;
> }
> </style>
> <div id="one">
> In 'one'
> <span id="two">
> In 'two'
> </div>
> <div id="three">
> In 'three'
> </div>
> </body>
> -----------------------------------------
>
> A bit of experimentation revealed the following:
> The tag with id "one" can be any tag that is 'display: block' by default.
> The tag with id "two" can be any tag that is 'display: inline' by default.
> The tag with id "three" can be any tag at all, including non container
tags such
> as img.
> The tag with id "two" _must_ be left unclosed.
> The selector must be "#one #two", simply selecting on #two does not work.
>
> I'll be the first to admit that this is a bit obscure (though I came
across it
> by accident) - it seems to have something to do with opening an absolutely
> positioned block tag after an absolutely positioned inline tag wasn't
closed
> properly, but is more complicated than that.
> In windows 2000, it also crashed explorer when I clicked on the file in in
a
> file dialog (due to the auto-preview).
>
> A brief look at a debugger on the crashed IE instance reveals that the
address
> it crashes at is a RET instruction.
>
> I leave it up to people with more talent than I to refine when it occurs
and why ;).
>
> -Nick Johnson
>
> -
> Posted automagically by a mail2news gateway at muc.de e.V.
> Please direct questions, flames, donations, etc. to news-admin@....de


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ