Bugtraq mailing list archives

Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)

From: "Roland Postle" <mail () blazde co uk>
Date: Wed, 16 Apr 2003 18:12:46 -0400

&lt;object id="test"
      data="#"
      width="100%" height="100%" 
      type="text/x-scriptlet" 
      VIEWASTEXT>&lt;/object&gt;


What I think is happening is that IE takes the URL '#' on it's own to
mean current document. (You can ahieve the same affect by specifying
data="document.html" where document.html is the name of the html file
running the code.)

When the data in the file '#' is embedded into the document and
executed it too contains the same object tag which embeds the document
again and again. Eventually it runs out of stack space. I doubt this is
exploitable on it's own except as a DoS.

- Blazde

Current thread:

Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag) Ryan Emerle (Apr 16)
- Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag) Roland Postle (Apr 17)
- RE: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag) Steve Ryan (Apr 17)
- <Possible follow-ups>
- Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag) mattmurphy (Apr 21)