RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security

From: Pavel Kankovsky (
Date: 07/02/04

  • Next message: Matthew Murphy: "Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs"
    To: Thor Larholm <>
    Date: Fri, 2 Jul 2004 02:11:45 +0200 (MET DST)

    On Thu, 1 Jul 2004, Thor Larholm wrote:

    > It has always been standard practice that you can change, but not read,
    > the location of any window object to a site from the same protocol and
    > security zone. A frame is a window object and all window objects are
    > safely exposed because they by themselves does not reveal any
    > information about the site inside the frame. You can get a handle of any
    > window object to any depth because the frames collection is also safely
    > exposed. This does not give you any kind of access to the document
    > object inside, which would be necessary for any kind of code injection
    > or cookie theft.

    If a script from site A can replace the contents of a frame within a
    document from site B then site A is able to violate the *integrity*
    of B's contents. This is unacceptable.

    Indeed, a "cuckoo's frame" from A would be (should be) unable to
    inject code into documents from site B or steal its cookies. But it could
    masquerade as a genuine frame from B and fool the user. Imagine a login
    frame on site B being replaced by a visually indistinguishable frame from
    site A. You type your password (assuming you are entering it into a form
    from B), press enter and boom! your secret password is sent to A!

    Do you always check the URL of any frame you interact with? Do you
    expect an average user to do that?

    And of course, the requirement that A and B 1. use the same protocol and
    2. are in the same security zone is snake oil. Ad 1. it is trivial for an
    attacker to set up an HTTPS server in order to attack users of another
    HTTPS server. Ad 2. there are only four or so different zones in MSIE,
    ergo in most cases a "good" site B will share the same zone with a large
    number of potential candidates for an "enemy" site A.

    --Pavel Kankovsky aka Peak [ Boycott Microsoft-- ]
    "Resistance is futile. Open your source code and prepare for assimilation."

    Full-Disclosure - We believe in it.

  • Next message: Matthew Murphy: "Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs"

    Relevant Pages

    • RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
      ... Your subject makes it sound like this is a spoofing vulnerability when ... location of whatever window object has focus. ... security zone or even protocol, all it does is to load your site into a ... This is no different than loading WindowsUpdate in a frame on your own ...
    • Re: win32: internet explorer automation problem
      ... use popups from JavaScript via the usual window interface? ... the browser creates one window object when it opens an HTML ... > contains one or more frame or iframe tags), ...
    • Re: Closing a window opened in a frame
      ... I am using javascript to close my current popup window. ... Now the problem is since this window is closed, the frame is still ... The window object referes to the frame in this case, not the window that contains the frame. ... This will remove the script tag that you written to the page, and instead output a redirection page to the frame. ...