MSIE:"SaveRef" turns Zone off

[Liu Die Yu <liudieyuinchina () yahoo com cn>]

<TITLE>MSIE:"SaveRef" turns Zone off</TITLE>

[digest]
MSIE: you can execute jscript in any zone by saving the reference 
of "(NewWindow).location.assign".
(content after the "[exp]" section is not directly related to the flaw, so 
skip it if you are in a  hurry;)

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 
Win98

[demo]
at 
http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
or 
clik.to/liudieyu ==> SaveRef-MyPage section.

[exp]
javascript-protocol URL can cause CSS at client side, so microsoft 
blocked "(NewWindow).location.assign" method(there is no other explanation 
at all). but we can save the reference(mostly the same as 'pointer' in C) 
of "(NewWindow).location.assign" when we can access it, then we can access 
it forever -- regardless of NewWindow's zone, which means we can execute 
jscript in any zone.

simple, that's all.

[BTW]
thanx to :
0. all knowledge bases
1."dror shalev", without his "Who Framed IE" demo at
http://drorshalev.brinkster.net/dev/Search 
and his words, i wouldn't have discovered this flaw.(both "SaveRef" & "Who 
Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;)
2."the Pull", his words at
http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt
are inspiring&practical.

[apology]
i am always late for online issues because of everything around me( one 
example is my parents),  but i've never been absent;)

[contact]
liudieyuinchina () yahoo com cn
or
clik.to/liudieyu ===> "how to contact liu die yu" section