TUCoPS :: Browsers :: expl5722.htm

MSIE "SaveRef" turns Zone off
2nd Oct 2002 [SBWID-5722]

	MSIE "SaveRef" turns Zone off


	Tested on MSIEv6, others ?


	Liu Die Yu [] says :

	MSIE: you can execute jscript in any zone by  saving  the  reference  of
	"(NewWindow).location.assign". (content after  the  "[exp]"  section  is
	not directly related to the flaw, so skip it if you are in a  hurry;)


	MSIEv6(CN version)

	{IEXPLORE.EXE file version: 6.0.2600.0000}

	{MSHTML.DLL file version: 6.00.2600.0000} 




	[demo] at


	or ==> SaveRef-MyPage section.



	[exp]  javascript-protocol  URL  can  cause  CSS  at  client  side,   so
	microsoft  blocked  "(NewWindow).location.assign"  method(there  is   no
	other explanation at all). but we  can  save  the  reference(mostly  the
	same as 'pointer' in C) of  "(NewWindow).location.assign"  when  we  can
	access it, then we can access it forever --  regardless  of  NewWindow's
	zone, which means we can execute jscript in any zone.

	simple, that's all.



