[24505] in bugtraq
Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)
daemon@ATHENA.MIT.EDU (the Pull)
Fri Mar 1 19:22:19 2002
Message-ID: <20020301185510.28126.qmail@web12501.mail.yahoo.com>
Date: Fri, 1 Mar 2002 10:55:10 -0800 (PST)
From: the Pull <osioniusx@yahoo.com>
To: bugtraq@securityfocus.com
In-Reply-To: <LPBBLDGNEFOGMGAEHJPBKELBCLAA.security@greymagic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
It was initially erroneous, though after Dave Ahmad
found the problem went with the window object, as well
that day, it was obvious that the problem was not with
the "popup" object. I believe as much was stated in
Dave's post. I added the note to my advisory and let
the reader fill in the blanks.
Furthermore, Tom Glider found another instance of this
quite sometime ago which went entirely unreported
outside of the Usenet:
http://groups.google.com/groups?hl=en&threadm=3C659F91.EAA0913C%40bn.com&rnum=4&prev=/groups%3Fq%3DTom%2Bgroup:alt.fan.cult-dead-cow%26hl%3Den%26scoring%3Dd%26selm%3D3C659F91.EAA0913C%2540bn.com%26rnum%3D4
Quote:
"btw, I thought you'd like to know that your nice "IE
PopUp OBJECT Advisory"
isn't actually a bug in the popup object - its more
to
do with the way IE
handles ActiveX objects created using innerHTML. This
means that IE5.0 (and
maybe 4) might be affected too.
The following works in IE6 on Windows 98:
<html>
<script>
onload = function() {
document.body.innerHTML = '<object
classid="CLSID:11111111"
codebase="c:/windows/notepad.exe"></object>';
}
</script>
</html>"
Regardless, it is interesting to see it bypass these
potential security restrictions.
__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com
