MSIE->BodyRefreshLoadsJPU:refresh is a new navigation method

2003-09-11T00:00:00
ID SECURITYVULNS:DOC:5090
Type securityvulns
Reporter Securityvulns
Modified 2003-09-11T00:00:00

Description

BodyRefreshLoadsJPU:refresh is a new navigation method

[tested] Browser Ver { MS Internet Explorer: 6.0.2600.0000.xpclnt_qfe.021108-2107; Encryption: 128-bit; Patch:; Q810847; } (So, it's far from fully patched. It also works after applying the patch for method caching attack.) OS Ver: "Windows XP Cn ver"

[demo] http://www.safecenter.net/liudieyu/BodyRefreshLoadsJPU/BodyRefreshLoadsJPU-MyPage.HTM or http://umbrella.mx.tc ---> BodyRefreshLoadsJPU section ---> BodyRefreshLoadsJPU-MyPage file

[exp] [VictimWindow] is in another security zone, execute: [VictimWindow].location.href="javascript:[JpuScript]" then [VictimWindow] will be navigated to a RES-protocol page. at last, press "REFRESH" button: "Refresh" tries to reload "javascript:[JpuScript]", and the script is executed.

question:how to press "REFRESH" button with JSCRIPT? answer in this attack: SaveRef(or "object-caching attack") "document.body", then: bodyRef.document.execCommand("Refresh")

[how] special thanks to: "Andreas Sandblad" for "Using the backbutton in IE is dangerous"; (then i tried to search for other navigation methods) "GreyMagic" for "GreyMagic Security Advisory GM#012-IE" (it showed "[DocElement].document" is something interesting :-) ) and myself :-) read those documents. and look for buttons in MSIE.

[greetings] the Pull, dror, guninski, sandblad, greymagic and "Friedrich L.Bauer". of course, mom and dad.

best wishes


from http://Umbrella.MX.TC on http://SafeCenter.NET