I played the exploit using IE5 and IE6. I observed
some strange behaviors. Under IE5 no sp when I click
the link, the IE will open the urls specified in the
href, i.e., microsoft, google and slatdot first. Then,
the IE will redirect the window to the url specified
in onunload. Under IE6 sp1, the IE will directly open
the url specified in onunload. But for the specific
example of google.com, the IE copies the content of
google page and opens it in the local domain. The
screenshots are attached in the email. Two questions:
1. Why does IE6 treat Microsoft.com, slatdot.com and
google.com differently?
2. Does this mean that, google can execute code with
local privilege in my computer?
-----
SUBJ: FullDisclosure: multiple web browsers, multiple
bugs - onUnload
and location.href
FROM: Rudolf Polzer (divzero_at_gmail.com)
URL :
http://seclists.org/lists/fulldisclosure/2004/Jul/1001.html
DEMO:
http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location
-----
after i clicked "Google" on the page, address field of
IE was faked - on
ie6.sp1.up2date running on winxp.home.en.up2date
just got it at iebug.com today.
liudieyu
liudieyu AT umbrella D0T name
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com Attachment:
AfterClick.zip
Description: AfterClick.zip