http-equivexcite.com
Date: Thu Jul 01 2004 - 15:25:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes of course.

Two tiny problems though:

1. your little scriplet doesn't work for me. I get:

'W.frames.2.location' is null or not an object

2. If as you claim this is "standard practice" then there is
something wrong with these browsers as it apparently does not
work on them:

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux

http://secunia.com/advisories/11978/

Perhaps someone who really knows will enlighten us all.

Thor Larholm <thorpivx.com> said:

> > From: http-equivexcite.com [mailto:1malware.com]
>
> Your subject makes it sound like this is a spoofing
vulnerability when
> in fact this is expected functionality that has been around
since
> Netscape 2 and IE3 which does not grant additional privileges
of any
> kind and requires the user to activate WindowsUpdate from your
site.
>
> > Here's a quick and dirty demo injecting malware.com into
> > windowsupdate.microsoft.com :)
> > http://www.malware.com/targutted.html
>
> Your script opens a new window and then uses a timer to change
the
> location of whatever window object has focus. This does not
switch
> security zone or even protocol, all it does is to load your
site into a
> subframe of another site. You can accomplish the exact same
without
> trying to 'trick' anything by using the following 2 lines:
>
> W=window.open("http://v4.windowsupdate.microsoft.com");
> W.frames[2].location.href = "http://pivx.com/";
>
> This is no different than loading WindowsUpdate in a frame on
your own
> site.
>
> It has always been standard practice that you can change, but
not read,
> the location of any window object to a site from the same
protocol and
> security zone. A frame is a window object and all window
objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a
handle of any
> window object to any depth because the frames collection is
also safely
> exposed. This does not give you any kind of access to the
document
> object inside, which would be necessary for any kind of code
injection
> or cookie theft.
>
>
>
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 23 Corporate Plaza #280
> Newport Beach, CA 92660
> http://www.pivx.com
> thorpivx.com
> Stock symbol: (PIVX.OB)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation.
> <http://www.pivx.com/qwikfix>
> -----Original Message-----
> From: http-equivexcite.com [mailto:1malware.com]
> Sent: Tuesday, June 29, 2004 11:41 AM
> To: bugtraqsecurityfocus.com
> Cc: NTBugtraqlistserv.ntbugtraq.com
> Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft
and Security
>
>
>
>
> Thomas Kessler was kind enough to inform that this is not new,
but in
> fact on old "issue" with Internet Explorer which by all
accounts was
> supposed to be "patched" back in 1998[?]:
>
> Microsoft Security Program: Microsoft Security Bulletin (MS98-
> 020) Patch Available for 'Frame Spoof' Vulnerability
>
> http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
>
> Quite clearly this contraption known as Internet Explorer is
just
> broken. It's oozing pus from every pore at this stage.
>
> If indeed the issues are the exact same.
>
> You'd better wipe hands of it anyway.
>
> We give up.
>
> --
> http://www.malware.com
>
>
>

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]