Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect
use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.0 under Windows 95 (guess other versions are affected)
with its default security settings allows frame spoofing. The problem is
setting the location of a frame to an arbitrary URL without updating the
address bar.
This vulnerability allows misleading the user he is browsing a trusted
site, while in fact he may be browsing a hostile site which might be stealing
information.
The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
b=window.open("http://www.citybank.com");
function g()
{
b.frames[2].location="http://www.yahoo.com";
}
setTimeout("g()",6000);
</SCRIPT>
----------------------------------------------------------------------------------------
Solution: Set "Navigate sub-frames across different domains" option to Disable
Demonstration is available at msfrspoof.html
Regards,
Georgi Guninski
http://www.guninski.com