('binary' encoding is not supported, stored as-is) [title]MSIE:"SaveRef" cracks "(VictimWindow).document.write" [digest] MSIE: you can always call "(VictimWindow).document.write" regardless its zone if you have its reference. (please read "[more?]" section; i think it's important.) [tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000} Win98 [demo] at http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW rite-MyPage.htm or clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section. [exp] save the reference of "(NewWindow).document.write" when the zone of "(NewWindow)" is yours. then you can call it via reference even if its zone is not yours. simple, that's all. [more?] i've read some doc about COM(Component Object Modal) at MSDN. MSDN says "The server is primarily responsible for security—that is, for the most part, the server determines whether it will provide a pointer to one of its objects to a client" (at "http://msdn.microsoft.com/library/default.asp?url=/library/en- us/com/comext_99df.asp") this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i guess the patch just plants a "security checker" in "window.document" . but method-SaveRef is not that easy to patch since there are so many methods in so many objects in so many APPLICATIONS(not only MSIE). "SaveRef" may end up turning M$ off? ;) i don't know. please tell me your opinion via email. (my physical work is all over,so reply in 24 hours) [contact] liudieyuinchinaat_private or clik.to/liudieyu ===> "how to contact liu die yu" section
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 09:14:42 PDT