TUCoPS :: Browsers :: msiesref.txt

MSIE "SaveRef" cracks "(VictimWindow).document.write"

[title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"


MSIE: you can always call "(VictimWindow).document.write" regardless its 

zone if you have its reference.

(please read "[more?]" section; i think it's important.)

[tested]MSIEv6(CN version)

{IEXPLORE.EXE file version: 6.0.2600.0000}

{MSHTML.DLL file version: 6.00.2600.0000} 







clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.


save the reference of "(NewWindow).document.write" when the zone 

of "(NewWindow)" is yours. then you can call it via reference even if its 

zone is not yours.

simple, that's all.


i've read some doc about COM(Component Object Modal) at MSDN.

MSDN says

"The server is primarily responsible for security—that is, for the most 

part, the server determines whether it will provide a pointer to one of 

its objects to a client"

(at "http://msdn.microsoft.com/library/default.asp?url=/library/en-


this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i 

guess the patch just plants a "security checker" in "window.document" . 

but method-SaveRef is not that easy to patch since there are so many 

methods in so many objects in so many APPLICATIONS(not only MSIE).

"SaveRef" may end up turning M$ off? ;)

i don't know. please tell me your opinion via email.

(my physical work is all over,so reply in 24 hours)




clik.to/liudieyu ===> "how to contact liu die yu" section

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH