MSIE:"SaveRef" turns Zone off
[digest]
MSIE: you can execute jscript in any zone by saving the reference
of "(NewWindow).location.assign".
(content after the "[exp]" section is not directly related to the flaw, so
skip it if you are in a hurry;)
[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.}
{MSHTML.DLL file version: 6.00.2600.}
Win98
[demo]
at
http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
or
clik.to/liudieyu ==> SaveRef-MyPage section.
[exp]
javascript-protocol URL can cause CSS at client side, so microsoft
blocked "(NewWindow).location.assign" method(there is no other explanation
at all). but we can save the reference(mostly the same as 'pointer' in C)
of "(NewWindow).location.assign" when we can access it, then we can access
it forever -- regardless of NewWindow's zone, which means we can execute
jscript in any zone.
simple, that's all.
[BTW]
thanx to :
0. all knowledge bases
1."dror shalev", without his "Who Framed IE" demo at
http://drorshalev.brinkster.net/dev/Search
and his words, i wouldn't have discovered this flaw.(both "SaveRef" & "Who
Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;)
2."the Pull", his words at
http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt
are inspiring&practical.
[apology]
i am always late for online issues because of everything around me( one
example is my parents), but i've never been absent;)
[contact]
[EMAIL PROTECTED]
or
clik.to/liudieyu ===> "how to contact liu die yu" section
