Poisonous Style for Dialog window turns the zone off.
("that's all" is the end of file if you are in a hurry)
[tested]
MSIEv6(CN version)
Patch: Q312461,Q328790(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/PoisonousSTYLEforDialog/PoisonousSTYLEf
orDialog-MyPage.htm
or
clik.to/liudieyu ==> PoisonousSTYLEforDialog-MyPage section.
[exp]
you can appoint the style of text in window(a "ModalDialog" window) opened
by "showModalDialog()" regardless of zone difference.
the style can cause execution of script, one example:
<IMG width="0" height="0" style="width: expression(alert());">
so "poisonous" style can do XSS at client side.
that's all
[how]
i spent some time trying to bypass hotmail script filtering, so i read
something about it, including the above one from Guninski.
so, i got this one as soon as i read the description of "showModalDialog
()" at MSDN.
[BTW]
if you are interested in XSS at server side, don't miss a tool at
http://clik.to/fasx
