[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(MSIE) when parent gives his son bad things ;) --"dialogArguments " again




IFRAME in a page opened by "openModalDialog" has  "dialogArguments" of its 
parent.

[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 

[demo]
at 
http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm
or 
clik.to/liudieyu ==> BadParent-MyPage section.

/*note: please tell me if "MSIE SP1" allows an internet page contains an 
iframe with local content*/


[exp]
IFRAME in a page opened by "openModalDialog" has  "dialogArguments" of its 
parent. so Attacker can open (via "openModalDialog") his page  which 
contains an iframe whose content is in the victim zone and 
uses "dialogArguments" directly without filtering.

in the demo:
(*)"victim zone" is localzone;
(*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it 
uses "cookieUrl" without filtering.

[how]
realize that IFRAME has some properties the same  as those of its parent. 
but the parent can be bad. 

(BTW, i used to hate that my parents give me many bad things, now i 
realize it's my job to resist bad things. ;) )

[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section