[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IE Bug in Javascript Navigator Object

You can add properties to any object, that's normal behaviour in IE.
It is a Cross-site sripting (XSS) bug if you can write it on a site on
domain A and read it from another site on domain B. Migitating factor for
this is that you can not read anything but the properties you've added. I
don't think any site has anything worth stealing hidden in there ;) But it
would be a cool way to implement a pipe across domains, using this propertie
as a buffer.


----- Original Message ----- 
From: "Uli Häfele" <uli.haefele@xxxxxxxxxx>
To: <vuln-dev@xxxxxxxxxxxxxxxxx>
Sent: Thursday, April 01, 2004 18:22
Subject: IE Bug in Javascript Navigator Object

> I discovered a strange thing with the MS/IE recently. The Javascript
> Navigator Object can be written by just adding a property.
> The following code used within an html page
> <script>
> navigator.myString = "Hello world";
> </script>
> adds the property myString to the navigator object.
> The content of the navigator object is existent as long as the current
> Browser window is open.
> I can read the content of the object even from different domains (first
> domain writes the string, second domain reads it)
> Mozilla doesn't allow the navigator object to cross the domain borders.
> I'm not even sure if this is a bug. Is this behaviour correct?
> _________________________________
> Access your knowledge
> http://www.mindlab.de/