exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

msieDHTML.txt

msieDHTML.txt
Posted Dec 30, 2004
Authored by Paul From Greyhats

The MSIE DHTML Edit Control code is susceptible to a cross site scripting vulnerability.

tags | advisory, xss
SHA-256 | a2fa0ec2b881347447d64fdd1223cffc003f89298b518e83dc245a833c9ccd93

msieDHTML.txt

Change Mirror Download


Note: This vulnerability as well as many more can be seen at https://freehost07.websamba.com/greyhats/

MSIE DHTML Edit Control Cross Site Scripting Vulnerability

[Tested]
IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2


[Discussion]
I appologize for my previous vulnerability (longnamevuln) which, through default sp2 settings, would be quite useless :). However, I'm sure that this will make up for it.

While looking at the popup block killer by http-equiv, I became interested in the dhtml edit control. I had a gut fealing that more could be done than simple popup forcing. So I looked into it and surely enough, I did find something. For the first time (afaik) since sp1, we can, without user interaction (which I hate btw), inject script into a page that doesnt belong to us :).

While I don't exacly know the specifics of the dhtmled.ocx control, I believe it uses a lot of the same code from old versions of internet explorer. That might explain why it acts so similarly to internet explorer. Through my testing, I only found one way to navigate to a page using the dhtml edit control: make it run code to 1) specify its window name, then 2) open( ) a page using its new name as the target parameter. This will grab the page and display it in the control. After this, the control is still accessible by its parent, even Script functions. execScript is what I use to directly inject javascript into the control.

SP2 puts extremely heavy security on the javascript: and vbscript: protocols, apparently rendering them useless for hacking attempts. However, there are still plenty of ways to make a target run script. Hehe this is just like to good ol' days of sp1 :)

The example opens https://google.com in the dhtml edit control and attempts to show the location.href and document.cookie of the page in a message box.

Example at https://freehost07.websamba.com/greyhats/abusiveparent.htm
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close