I played the exploit using IE5 and IE6. I observed some strange behaviors. Under IE5 no sp when I click the link, the IE will open the urls specified in the href, i.e., microsoft, google and slatdot first. Then, the IE will redirect the window to the url specified in onunload. Under IE6 sp1, the IE will directly open the url specified in onunload. But for the specific example of google.com, the IE copies the content of google page and opens it in the local domain. The screenshots are attached in the email. Two questions: 1. Why does IE6 treat Microsoft.com, slatdot.com and google.com differently? 2. Does this mean that, google can execute code with local privilege in my computer? ----- SUBJ: FullDisclosure: multiple web browsers, multiple bugs - onUnload and location.href FROM: Rudolf Polzer (divzero_at_gmail.com) URL : http://seclists.org/lists/fulldisclosure/2004/Jul/1001.html DEMO: http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location ----- after i clicked "Google" on the page, address field of IE was faked - on ie6.sp1.up2date running on winxp.home.en.up2date just got it at iebug.com today. liudieyu liudieyu AT umbrella D0T name __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Attachment:
AfterClick.zip
Description: AfterClick.zip