It throws a permission denied exception on my MSIE 6 SP1 + all patches in
place
MSIE 6.0.2600.0000 is way old
--
jelmer
----- Original Message -----
From: "Liu Die Yu" <liudieyuinchina@yahoo.com.cn>
To: <bugtraq@securityfocus.com>
Sent: Monday, October 21, 2002 4:16 PM
Subject: MSIE:"SaveRef" cracks "(VictimWindow).document.write"
>
>
> [title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"
>
> [digest]
> MSIE: you can always call "(VictimWindow).document.write" regardless its
> zone if you have its reference.
> (please read "[more?]" section; i think it's important.)
>
> [tested]MSIEv6(CN version)
> {IEXPLORE.EXE file version: 6.0.2600.0000}
> {MSHTML.DLL file version: 6.00.2600.0000}
> Win98
>
> [demo]
> at
>
http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW
> rite-MyPage.htm
> or
> clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.
>
> [exp]
> save the reference of "(NewWindow).document.write" when the zone
> of "(NewWindow)" is yours. then you can call it via reference even if its
> zone is not yours.
>
> simple, that's all.
>
> [more?]
> i've read some doc about COM(Component Object Modal) at MSDN.
> MSDN says
> "The server is primarily responsible for security-that is, for the most
> part, the server determines whether it will provide a pointer to one of
> its objects to a client"
> (at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/com/comext_99df.asp")
> this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i
> guess the patch just plants a "security checker" in "window.document" .
>
> but method-SaveRef is not that easy to patch since there are so many
> methods in so many objects in so many APPLICATIONS(not only MSIE).
> "SaveRef" may end up turning M$ off? ;)
>
> i don't know. please tell me your opinion via email.
> (my physical work is all over,so reply in 24 hours)
>
> [contact]
> liudieyuinchina@yahoo.com.cn
> or
> clik.to/liudieyu ===> "how to contact liu die yu" section
>
>
>
