|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)
From: Roland Postle (mail
blazde.co.uk)
Date: Wed Apr 16 2003 - 17:12:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
><object id="test"
> data="#"
> width="100%" height="100%"
> type="text/x-scriptlet"
> VIEWASTEXT></object>
What I think is happening is that IE takes the URL '#' on it's own to
mean current document. (You can ahieve the same affect by specifying
data="document.html" where document.html is the name of the html file
running the code.)
When the data in the file '#' is embedded into the document and
executed it too contains the same object tag which embeds the document
again and again. Eventually it runs out of stack space. I doubt this is
exploitable on it's own except as a DoS.
- Blazde
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]