[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"



[digest]

MSIE: you can always call "(VictimWindow).document.write" regardless its 

zone if you have its reference.

(please read "[more?]" section; i think it's important.)



[tested]MSIEv6(CN version)

{IEXPLORE.EXE file version: 6.0.2600.0000}

{MSHTML.DLL file version: 6.00.2600.0000} 

Win98



[demo]

at 

http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW

rite-MyPage.htm

or 

clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.



[exp]

save the reference of "(NewWindow).document.write" when the zone 

of "(NewWindow)" is yours. then you can call it via reference even if its 

zone is not yours.



simple, that's all.



[more?]

i've read some doc about COM(Component Object Modal) at MSDN.

MSDN says

"The server is primarily responsible for security—that is, for the most 

part, the server determines whether it will provide a pointer to one of 

its objects to a client"

(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-

us/com/comext_99df.asp")

this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i 

guess the patch just plants a "security checker" in "window.document" . 



but method-SaveRef is not that easy to patch since there are so many 

methods in so many objects in so many APPLICATIONS(not only MSIE).

"SaveRef" may end up turning M$ off? ;)



i don't know. please tell me your opinion via email.

(my physical work is all over,so reply in 24 hours)



[contact]

liudieyuinchina@yahoo.com.cn

or

clik.to/liudieyu ===> "how to contact liu die yu" section