FrameJammer DOM based XSS



Software:FrameJammer
Author:Hal Pawluk
Software Description: FrameJammer is a little javascript code which prevents opening framed pages outside their frameset. FrameJammer used to be distributed as a Macromedia Dreamweaver extension, nowadays web developers are spreading it with copy-paste.

Problem:
FrameJammer does not validate user input (Window.Location) and therefore it contains a DOM Based XSS vulnerability.

PoC:
http://<url>?javascript:alert(123)~<frame-name>

I did not contact with the author. His website is down and I am not in the possession of his contact information.



Relevant Pages

  • Re: DOM comparison utility
    ... Capture the DOM of the website later and save it ... Compare the two DOM structures so you could easily see what's ...
    (comp.lang.javascript)
  • Re: TclDOM Tutorial
    ... The first place to start is the TclXML website: ... links to some examples and tutorials. ... All what I read on different websites is that DOM is used to read XML ... Is there any helpful website or tutorial that can explain how to use ...
    (comp.lang.tcl)
  • Chemical Directory - XSS
    ... Chemical Directory v.unknown (doesnt say on website) ... Effected files: ... XSS Vulnerability via keyword variable: ...
    (Bugtraq)