lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040702012001.6593.0@argo.troja.mff.cuni.cz>
From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky)
Subject: SUPER SPOOF  DELUXE Re: Microsoft and Security

On Thu, 1 Jul 2004, Thor Larholm wrote:

> It has always been standard practice that you can change, but not read,
> the location of any window object to a site from the same protocol and
> security zone. A frame is a window object and all window objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a handle of any
> window object to any depth because the frames collection is also safely
> exposed. This does not give you any kind of access to the document
> object inside, which would be necessary for any kind of code injection
> or cookie theft.

If a script from site A can replace the contents of a frame within a
document from site B then site A is able to violate the *integrity*
of B's contents. This is unacceptable.

Indeed, a "cuckoo's frame" from A would be (should be) unable to
inject code into documents from site B or steal its cookies. But it could
masquerade as a genuine frame from B and fool the user. Imagine a login
frame on site B being replaced by a visually indistinguishable frame from
site A. You type your password (assuming you are entering it into a form
from B), press enter and boom! your secret password is sent to A!

Do you always check the URL of any frame you interact with? Do you
expect an average user to do that?

And of course, the requirement that A and B 1. use the same protocol and
2. are in the same security zone is snake oil. Ad 1. it is trivial for an
attacker to set up an HTTPS server in order to attack users of another
HTTPS server. Ad 2. there are only four or so different zones in MSIE,
ergo in most cases a "good" site B will share the same zone with a large
number of potential candidates for an "enemy" site A.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ