Full Disclosure mailing list archives
RE: SUPER SPOOF DELUXE Re: Microsoft and Security
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Fri, 2 Jul 2004 02:11:45 +0200 (MET DST)
On Thu, 1 Jul 2004, Thor Larholm wrote:
It has always been standard practice that you can change, but not read, the location of any window object to a site from the same protocol and security zone. A frame is a window object and all window objects are safely exposed because they by themselves does not reveal any information about the site inside the frame. You can get a handle of any window object to any depth because the frames collection is also safely exposed. This does not give you any kind of access to the document object inside, which would be necessary for any kind of code injection or cookie theft.
If a script from site A can replace the contents of a frame within a document from site B then site A is able to violate the *integrity* of B's contents. This is unacceptable. Indeed, a "cuckoo's frame" from A would be (should be) unable to inject code into documents from site B or steal its cookies. But it could masquerade as a genuine frame from B and fool the user. Imagine a login frame on site B being replaced by a visually indistinguishable frame from site A. You type your password (assuming you are entering it into a form from B), press enter and boom! your secret password is sent to A! Do you always check the URL of any frame you interact with? Do you expect an average user to do that? And of course, the requirement that A and B 1. use the same protocol and 2. are in the same security zone is snake oil. Ad 1. it is trivial for an attacker to set up an HTTPS server in order to attack users of another HTTPS server. Ad 2. there are only four or so different zones in MSIE, ergo in most cases a "good" site B will share the same zone with a large number of potential candidates for an "enemy" site A. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Daniel Veditz (Jul 02)
- <Possible follow-ups>
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Pavel Kankovsky (Jul 01)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Bob Perriero (Jul 02)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Gregory A. Gilliss (Jul 01)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security John Sage (Jul 02)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Mark Laurence (Jul 02)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Gregory A. Gilliss (Jul 01)