Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Vista
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
(MSIE) when parent gives his son bad things ;) --"dialogArguments " again
Nov 19 2002 01:45AM
Liu Die Yu (liudieyuinchina yahoo com cn)
(2 replies)
IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its
parent.
[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm
or
clik.to/liudieyu ==> BadParent-MyPage section.
/*note: please tell me if "MSIE SP1" allows an internet page contains an
iframe with local content*/
[exp]
IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its
parent. so Attacker can open (via "openModalDialog") his page which
contains an iframe whose content is in the victim zone and
uses "dialogArguments" directly without filtering.
in the demo:
(*)"victim zone" is localzone;
(*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it
uses "cookieUrl" without filtering.
[how]
realize that IFRAME has some properties the same as those of its parent.
but the parent can be bad.
(BTW, i used to hate that my parents give me many bad things, now i
realize it's my job to resist bad things. ;) )
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
[ reply ]
RE: (MSIE) -"dialogArguments" (extended)
Nov 20 2002 08:55AM
GreyMagic Software (security greymagic com)
Re: (MSIE) when parent gives his son bad things ;) --"dialogArguments " again
Nov 19 2002 05:32PM
Dave Ahmad (da securityfocus com)
Privacy Statement
Copyright 2008, SecurityFocus
IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its
parent.
[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm
or
clik.to/liudieyu ==> BadParent-MyPage section.
/*note: please tell me if "MSIE SP1" allows an internet page contains an
iframe with local content*/
[exp]
IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its
parent. so Attacker can open (via "openModalDialog") his page which
contains an iframe whose content is in the victim zone and
uses "dialogArguments" directly without filtering.
in the demo:
(*)"victim zone" is localzone;
(*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it
uses "cookieUrl" without filtering.
[how]
realize that IFRAME has some properties the same as those of its parent.
but the parent can be bad.
(BTW, i used to hate that my parents give me many bad things, now i
realize it's my job to resist bad things. ;) )
[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
[ reply ]