[22977] in bugtraq
RE: Javascript in IE may spoof the whole screen
daemon@ATHENA.MIT.EDU (Thor Larholm)
Wed Oct 24 11:40:22 2001
Message-ID: <77152B8B3F91CF45ADC6BAE44C2ADAE90193490E@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'Julian Hall'" <jules@acris.co.uk>, guninski@guninski.com
Cc: Bugtraq <BUGTRAQ@securityfocus.com>
Date: Wed, 24 Oct 2001 12:10:06 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
> From: Julian Hall
> > Georgi Guninski security advisory #50, 2001
> > Image moving over download/open dialog:
> > http://www.guninski.com/opf2.html
> > BSOD emulation:
> > http://www.guninski.com/bsod1.html
>
> Neither of these demonstrations function correctly in IE 5.0;
> they produce script
> error message boxes, reporting that the 'object does not
> support the requested
> method'. I don't know whether that means IE 5.0 isn't
> vulnerable or not...
It means that Guninski used the popup object in his examples, which was
first introduced in IE5.5+ - using chromeless window objects will yield the
same results in IE4+.
The advisory still holds, the example was just flawed.
Regards
Thor Larholm
Jubii A/S - Internet Programmer
