BugTraq
i cracked restriction of 'zone' in mozilla. Apr 16 2003 03:28AM
Liu Die Yu (liudieyuinchina yahoo com cn) (1 replies)


i cracked restriction of 'zone' in mozilla.

("that's all" is the end of file if you are in a hurry)

[tested]

OS:"Windows Server 2003"

NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN;

rv:1.0.1) Gecko/20020823 Netscape/7.0 "

(downloaded on "2003/3/31 UTC+800")

MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;

rv:1.3) Gecko/20030312"

(downloaded on "2003/4/1 UTC+800")

MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;

rv:1.4a) Gecko/20030401"

(downloaded on "2003/4/15 UTC+800")

[demo]

http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm

or

UMBRELLA.MX.TC ===> EdgeLink-MyPage section.

(disable Popup killer.)

[exp]

Mozilla does not wash links on the edge of transforming from one document

to another.

{0}before content of the next document is loaded & after the security ID

of current document is changed to the security ID of the next one(such

period exists.):

{1}links including their "onclick" property in current document remain

alive(=clickable).

{1.1}i can access my link if i have its reference.

now,i call its "onclick" via the reference of link:

{1.2}"onclick" is executed with security ID of the next page which is

going to be loaded.

(boring? "[demo-exp]" is easier.)

[demo-exp]

okay, this is easier. listen up:

task:

show "document.cookie" at "www.securityfocus.com", via "window.alert".

[*]our "LINK" page: it's in our 'zone' and contains a link with

onclick="alert(document.cookie)"

[*]"main" script lives in another page;

now, "main" script plays the trick:

open "LINK" page in another window - "mywin".

save the reference of the link in "LINK" page to "MyLink" variable.

tell "mywin" to go to "http://www.securityfocus.com/".

wait until the security ID changes

("security ID changes"<==>"main script is unable to get protected info"--

>"try{[Get protected info in mywin]}catch{[now, security ID is

changed.]}" )

call "MyLink.onclick()" *immediately*.

/*

we call that immediately, so the time is {0}(refer to "{0}" in "[exp]");

even though the security ID is changed to that

of "http://www.securityfocus.com", our link remains alive.{1}

even though the security ID is victim's id, main script still can

call "MyLink.onclick()".{1.1}

at last, {1.2}

*/

that's all.

[how]

from small beginnings come great things!

read:

http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-How.htm

or

UMBRELLA.MX.TC ===> EdgeLink-How section.

if you are interested in how i got this in 5 hours after i downloaded

mozilla.

[people]

greetings to you all!

and thanx to

"the Pull", dror, bin, gean, dross, iainm, and always: mom and dad - for

their help.

[extra offer]

if you are browsing through web daily with MSIE, try:

http://liudieyuinchina.vip.sina.com/domex/aPoP

or

DOMEX.INT.TC ===> aPoP section.

(it's coded by me; i hope you like it :-) )

BTW,i'm very proud of my "PuriWeb" function in it.

-----

all mentioned resources can always be found at UMBRELLA.MX.TC

[contact]

UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[ reply ]
Re: i cracked restriction of 'zone' in mozilla. Apr 17 2003 04:37PM
Alla Bezroutchko (alla scanit be)


 

Privacy Statement
Copyright 2010, SecurityFocus