PoC for cross-domain access: read the contents of 'remote' webpages. Tested on IE6/WinXPSP2.
This PoC attack works somewhat un-reliably. It may help to go to IE
Tools, InternetOptions, and delete everything in TemporaryInternetFiles.
Does not seem to work with web proxies, seems to work only with
'direct connection to internet'.
Seems to only succeed on pages that use the 'Cache-Control: private'
header: www.google.com and few others, maybe yahoo (keep googling for more).
Rather useless if it only works on a small number of websites.
When this PoC attack works, the browser is confused as to the origin of the page: relative links (e.g. the google image) show www.maths (and do not work). The bug is not in outerHTML: we use innerHTML.
Redirected object www.google.com (should show always):
Recovered object (success means vulnerable):
See also: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.html http://secunia.com/advisories/20825/ http://secunia.com/internet_explorer_information_disclosure_vulnerability_test/ http://isc.sans.org/diary.php?storyid=1448 http://www.kb.cert.org/vuls/id/883108 http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx http://www.securityfocus.com/archive/1/445602