Try Again
"assign" method caching
IE:"SaveRef" turns Zone off
This script checks IE Client Circumventing
zone sandboxing, cross-protocol scripting,
cookie theft, and possible local file reading / execution

This bug found by my Virtual Friend Die Yu Liu
Super talented 18 old from Chaina


Hotmail cookie theft

Hotmail Address Book (undev Dev)

Save Ref Example

local file reading and execution (Thor Larholm Way)

wanna Read more ?
Exploit IE: you can execute jscript in any zone by
saving the reference of "(NewWindow).location.assign".

demo : http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm

thanx to :
0. all knowledge bases
1."dror shalev", without his "Who Framed IE" demo at http://drorshalev.brinkster.net/dev/Search and his words, i wouldn't have discovered this flaw. (both "SaveRef" & "Who Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;)
2."the Pull",
his words at http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt are inspiring&practical.

exploit:javascript-protocol URL can cause CSS at client side, so microsoft blocked "(NewWindow).location.assign" method. but we can save the reference(mostly the same as 'pointer' in C) of "(NewWindow).location.assign" when we can access it, then we can access it forever -- regardless of NewWindow's zone, which means we can execute jscript in any zone. 008504#