BugTraq
Poisonous Style for Dialog window turns the zone off. Dec 03 2002 06:26AM
Liu Die Yu (liudieyuinchina yahoo com cn)


Poisonous Style for Dialog window turns the zone off.

("that's all" is the end of file if you are in a hurry)

[tested]

MSIEv6(CN version)

Patch: Q312461,Q328790(MS02-066)

{IEXPLORE.EXE file version: 6.0.2600.0000}

{MSHTML.DLL file version: 6.00.2600.0000}

[demo]

at

http://www16.brinkster.com/liudieyu/PoisonousSTYLEforDialog/PoisonousSTY
LEf

orDialog-MyPage.htm

or

clik.to/liudieyu ==> PoisonousSTYLEforDialog-MyPage section.

[exp]

you can appoint the style of text in window(a "ModalDialog" window) opened

by "showModalDialog()" regardless of zone difference.

the style can cause execution of script, one example:

<IMG width="0" height="0" style="width: expression(alert());">

so "poisonous" style can do XSS at client side.

that's all

[how]

i spent some time trying to bypass hotmail script filtering, so i read

something about it, including the above one from Guninski.

so, i got this one as soon as i read the description of "showModalDialog

()" at MSDN.

[BTW]

if you are interested in XSS at server side, don't miss a tool at

http://clik.to/fasx

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus