| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: 1 at malware.com (http-equiv@...ite.com)
Subject: SUPER SPOOF DELUXE Re: Microsoft and Security
Yes of course.
Two tiny problems though:
1. your little scriplet doesn't work for me. I get:
'W.frames.2.location' is null or not an object
2. If as you claim this is "standard practice" then there is
something wrong with these browsers as it apparently does not
work on them:
The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux
http://secunia.com/advisories/11978/
Perhaps someone who really knows will enlighten us all.
Thor Larholm <thor@...x.com> said:
> > From: http-equiv@...ite.com [mailto:1@...ware.com]
>
> Your subject makes it sound like this is a spoofing
vulnerability when
> in fact this is expected functionality that has been around
since
> Netscape 2 and IE3 which does not grant additional privileges
of any
> kind and requires the user to activate WindowsUpdate from your
site.
>
> > Here's a quick and dirty demo injecting malware.com into
> > windowsupdate.microsoft.com :)
> > http://www.malware.com/targutted.html
>
> Your script opens a new window and then uses a timer to change
the
> location of whatever window object has focus. This does not
switch
> security zone or even protocol, all it does is to load your
site into a
> subframe of another site. You can accomplish the exact same
without
> trying to 'trick' anything by using the following 2 lines:
>
> W=window.open("http://v4.windowsupdate.microsoft.com");
> W.frames[2].location.href = "http://pivx.com/";
>
> This is no different than loading WindowsUpdate in a frame on
your own
> site.
>
> It has always been standard practice that you can change, but
not read,
> the location of any window object to a site from the same
protocol and
> security zone. A frame is a window object and all window
objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a
handle of any
> window object to any depth because the frames collection is
also safely
> exposed. This does not give you any kind of access to the
document
> object inside, which would be necessary for any kind of code
injection
> or cookie theft.
>
>
>
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 23 Corporate Plaza #280
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@...x.com
> Stock symbol: (PIVX.OB)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation.
> <http://www.pivx.com/qwikfix>
> -----Original Message-----
> From: http-equiv@...ite.com [mailto:1@...ware.com]
> Sent: Tuesday, June 29, 2004 11:41 AM
> To: bugtraq@...urityfocus.com
> Cc: NTBugtraq@...tserv.ntbugtraq.com
> Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft
and Security
>
>
>
>
> Thomas Kessler was kind enough to inform that this is not new,
but in
> fact on old "issue" with Internet Explorer which by all
accounts was
> supposed to be "patched" back in 1998[?]:
>
> Microsoft Security Program: Microsoft Security Bulletin (MS98-
> 020) Patch Available for 'Frame Spoof' Vulnerability
>
> http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
>
> Quite clearly this contraption known as Internet Explorer is
just
> broken. It's oozing pus from every pore at this stage.
>
> If indeed the issues are the exact same.
>
> You'd better wipe hands of it anyway.
>
> We give up.
>
> --
> http://www.malware.com
>
>
>
--
http://www.malware.com
Powered by blists - more mailing lists