On Mon, 29 May 2006 21:30:31 BST, Aaron Gray said:
> Look at the original post and you will see there is no where to inject any
> code.
>
> Aaron
>
> >> <script>
> >> var wwidth = (window.innerWidth)?window.innerWidth:
> >> ((document.all
> >> )?document.body.offsetWidth:null);
> >>
> >> while (wwidth)
> >> {
> >> self.resizeBy(-999999, -1);
> >> }
> >>
> >> </script>
No *obvious* way to inject code. Don't rule out something like this working:
<script>
var exploit96 = "some long-ass string that's just printable-96 chars"
var wwidth = (window.innerWidth)?yadda yadda...
and exploit96 just happens to end up someplace interesting/useful, and
gets successfully interpreted as executable code.....
A few years ago, somebody found an interesting overflow-the-environment
bug in a lot of telnetd's. Of course, the *tough* part was the fact
that you had to cram literally 45 megabytes or so of crap down telnetd's
throat first, to get the memory layout where you needed it for when
something overflowed a buffer......
Attachment:
pgpW8fqyq2gTY.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/