Liu Die Yu wrote: > > i cracked restriction of 'zone' in mozilla. > ("that's all" is the end of file if you are in a hurry) > > [tested] > OS:"Windows Server 2003" > > NETSCAPE Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; > rv:1.0.1) Gecko/20020823 Netscape/7.0 " > (downloaded on "2003/3/31 UTC+800") > MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; > rv:1.3) Gecko/20030312" > (downloaded on "2003/4/1 UTC+800") > MOZILLA Ver String: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.4a) Gecko/20030401" > (downloaded on "2003/4/15 UTC+800") Also tested and found vulnerable: Netscape 6.2.3, Netscape 7.0, Netscape 7.01, Netscape 7.02 on Linux. Mozilla 1.0.2, 1.1, 1.2.1, 1.3a on Linux and Mozilla 1.0 on Windows. Beonex 0.8.2-stable and Phoenix 0.5 (Mozilla rv.: 1.3a Gecko 2002107) on Windows. > [exp] > Mozilla does not wash links on the edge of transforming from one document > to another. > > {0}before content of the next document is loaded & after the security ID > of current document is changed to the security ID of the next one(such > period exists.): > > {1}links including their "onclick" property in current document remain > alive(=clickable). > {1.1}i can access my link if i have its reference. > now,i call its "onclick" via the reference of link: > {1.2}"onclick" is executed with security ID of the next page which is > going to be loaded. > (boring? "[demo-exp]" is easier.) Internet Explorer throws an exception when you try to call the onclick function by saved reference - perfectly correct behavior. Opera seems to silently ignore the call. For Opera it seems to be a common behavior to ignore bad calls without throwing an exception (another example is calling document.write by saved reference on a document that changed origin). Finally, shameless plug. Our Browser Security Test (http://bcheck.scanit.be/bcheck/) now checks for this vulnerability. Alla
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 10:59:21 PDT