[29804] in bugtraq
Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)
daemon@ATHENA.MIT.EDU (Roland Postle)
Thu Apr 17 11:50:35 2003
From: "Roland Postle" <mail@blazde.co.uk>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
"Ryan Emerle" <securityFocus@emerle.net>
Date: Wed, 16 Apr 2003 18:12:46 -0400
In-Reply-To: <20030416195550.2126.qmail@www.securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <E195v94-0006nB-00@hawk.mail.pas.earthlink.net>
><object id="test"
> data="#"
> width="100%" height="100%"
> type="text/x-scriptlet"
> VIEWASTEXT></object>
What I think is happening is that IE takes the URL '#' on it's own to
mean current document. (You can ahieve the same affect by specifying
data="document.html" where document.html is the name of the html file
running the code.)
When the data in the file '#' is embedded into the document and
executed it too contains the same object tag which embeds the document
again and again. Eventually it runs out of stack space. I doubt this is
exploitable on it's own except as a DoS.
- Blazde
