Vulnerability Development mailing list archives
Re: IE5 crash
From: Dan Kaminsky <dankamin () CISCO COM>
Date: Mon, 25 Dec 2000 01:45:16 -0800
[ Server Response Headers ] HTTP/1.1 301 Moved Permanently Server: Apache/1.3.11 (Unix) Pragma: no-cache Accept-Ranges: bytes Content-Length: 62 Connection: Close Content-Type: text/html Location: javascript:with(navigator){n='\n';alert(userAgent+n+platform)}
Off the top of my head, I'd guess one of three things is happening here: 1) Javascript Recognized But Not Instantiated: The HTTP Redirection code knows enough about Javascript to recognize it being called, but doesn't know enough to actually complete the call. 2) Javascript Objects Not Configured: The HTTP Redirection code both knows enough about Javascript to recognize its call *and* has the ability to complete some Javascript operations, but this specific operation is attempting to access variables/structures/objects/whatnot that haven't been initialized yet. 3) Javascript Operating Correctly Outside of Expected Territory: Essentially, Javascript was built to be run inside the HTML parser, but is being called outside of it and is stomping over the place. Mind you, none of this should be taken even slightly as gospel--it could be something as simple as that the browser doesn't know how to handle references that don't contain a URL type(http, ftp, file, telnet, etc.)! This is brought up as a way of possibly helping your investigation(if you're in the mood to examine the problem further). Do all Javascript references cause failures, or just this one? What about vbscript? If some do succeed, can they reference Javascript variables from referring pages? Might there be holes in the JS security model that aren't patched at the layer of HTTP? Just some thoughts--hope they help. --Dan Kaminsky
Current thread:
- IE5 crash Dzzie Z (Dec 23)
- Re: IE5 crash Dan Kaminsky (Dec 25)
- Re: IE5 crash Mulder (Dec 26)
- <Possible follow-ups>
- Re: IE5 crash Doe, John (Dec 25)
- Re: IE5 Crash Dzzie Z (Dec 28)