Bugtraq mailing list archives

Re: MSIE:"SaveRef" cracks "(VictimWindow).document.write"

From: "jelmer" <jelmer () kuperus xs4all nl>
Date: Mon, 21 Oct 2002 18:38:22 +0200

It throws a permission denied exception on my MSIE 6 SP1 + all patches in
place
MSIE 6.0.2600.0000 is way old

--
  jelmer




----- Original Message -----
From: "Liu Die Yu" <liudieyuinchina () yahoo com cn>
To: <bugtraq () securityfocus com>
Sent: Monday, October 21, 2002 4:16 PM
Subject: MSIE:"SaveRef" cracks "(VictimWindow).document.write"



[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"

[digest]
MSIE: you can always call "(VictimWindow).document.write" regardless its
zone if you have its reference.
(please read "[more?]" section; i think it's important.)

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
Win98

[demo]
at

http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW

rite-MyPage.htm
or
clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.

[exp]
save the reference of "(NewWindow).document.write" when the zone
of "(NewWindow)" is yours. then you can call it via reference even if its
zone is not yours.

simple, that's all.

[more?]
i've read some doc about COM(Component Object Modal) at MSDN.
MSDN says
"The server is primarily responsible for security-that is, for the most
part, the server determines whether it will provide a pointer to one of
its objects to a client"
(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/com/comext_99df.asp")
this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i
guess the patch just plants a "security checker" in "window.document" .

but method-SaveRef is not that easy to patch since there are so many
methods in so many objects in so many APPLICATIONS(not only MSIE).
"SaveRef" may end up turning M$ off? ;)

i don't know. please tell me your opinion via email.
(my physical work is all over,so reply in 24 hours)

[contact]
liudieyuinchina () yahoo com cn
or
clik.to/liudieyu ===> "how to contact liu die yu" section

Current thread:

MSIE:"SaveRef" cracks "(VictimWindow).document.write" Liu Die Yu (Oct 21)
- Re: MSIE:"SaveRef" cracks "(VictimWindow).document.write" jelmer (Oct 21)
- Re: MSIE:"SaveRef" cracks "(VictimWindow).document.write" jelmer (Oct 21)