FrameJammer DOM based XSS

---

• From: mkey@xxxxxxxxxxx
• Date: Mon, 27 Feb 2012 08:50:36 GMT

---

Software:FrameJammer
Author:Hal Pawluk
Software Description: FrameJammer is a little javascript code which prevents opening framed pages outside their frameset. FrameJammer used to be distributed as a Macromedia Dreamweaver extension, nowadays web developers are spreading it with copy-paste.

Problem:
FrameJammer does not validate user input (Window.Location) and therefore it contains a DOM Based XSS vulnerability.

PoC:
http://<url>?javascript:alert(123)~<frame-name>

I did not contact with the author. His website is down and I am not in the possession of his contact information.

---

• Prev by Date: DeepSec "Sector v6" - Call for Papers
• Next by Date: Case YVS Image Gallery
• Previous by thread: DeepSec "Sector v6" - Call for Papers
• Next by thread: [ MDVSA-2012:023 ] libvpx
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: DOM comparison utility ... Capture the DOM of the website later and save it ... Compare the two DOM structures so you could easily see what's ... (comp.lang.javascript) Re: TclDOM Tutorial ... The first place to start is the TclXML website: ... links to some examples and tutorials. ... All what I read on different websites is that DOM is used to read XML ... Is there any helpful website or tutorial that can explain how to use ... (comp.lang.tcl) Chemical Directory - XSS ... Chemical Directory v.unknown (doesnt say on website) ... Effected files: ... XSS Vulnerability via keyword variable: ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2012-02