Re: IE Bug in Javascript Navigator Object

["Berend-Jan Wever" <SkyLined () edup tudelft nl>]

You can add properties to any object, that's normal behaviour in IE.
It is a Cross-site sripting (XSS) bug if you can write it on a site on
domain A and read it from another site on domain B. Migitating factor for
this is that you can not read anything but the properties you've added. I
don't think any site has anything worth stealing hidden in there ;) But it
would be a cool way to implement a pipe across domains, using this propertie
as a buffer.

Cheers,
SkyLined


----- Original Message ----- 
From: "Uli Häfele" <uli.haefele () mindlab de>
To: <vuln-dev () securityfocus com>
Sent: Thursday, April 01, 2004 18:22
Subject: IE Bug in Javascript Navigator Object


> I discovered a strange thing with the MS/IE recently. The Javascript
> Navigator Object can be written by just adding a property.
> The following code used within an html page
>
> <script>
> navigator.myString = "Hello world";
> </script>
>
> adds the property myString to the navigator object.
> The content of the navigator object is existent as long as the current
> Browser window is open.
> I can read the content of the object even from different domains (first
> domain writes the string, second domain reads it)
> Mozilla doesn't allow the navigator object to cross the domain borders.
>
> I'm not even sure if this is a bug. Is this behaviour correct?
>
>
> _________________________________
>
> Access your knowledge
> http://www.mindlab.de/