IE Back button flaw

Thanks Tai and RaINE for the heads up.

IE allows urls containing the javascript protocol in the history list. Code injected in the url will operate in the same zone/domain as the last url viewed. The javascript url can be set to trigger when a user presses the backbutton.

The normal behaviour when a page fails to load is to press the backbutton. The error page shown by IE is operating in the local computer zone (res://C:WINNTSystem32shdoclc.dll/dnserror.htm# on Win2000). Thus, we can execute code and read local files.

This has been tested in Windows 2000/XP environment with Internet Explorer 6.0 fully patched. There is no patch available for this yet.

News source: BugTraq Archive

View: BugTraq - Using the backbutton in IE is dangerous

Report a problem with article
Previous Story

Photoshop 7.0 Scripting plug-in

Next Story

Updated: Internetrix beta sign-up

-1 Comments - Add comment