mailing list archives
RE: SUPER SPOOF DELUXE Re: Microsoft and Security
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Fri, 2 Jul 2004 02:11:45 +0200 (MET DST)
On Thu, 1 Jul 2004, Thor Larholm wrote:
It has always been standard practice that you can change, but not read,
the location of any window object to a site from the same protocol and
security zone. A frame is a window object and all window objects are
safely exposed because they by themselves does not reveal any
information about the site inside the frame. You can get a handle of any
window object to any depth because the frames collection is also safely
exposed. This does not give you any kind of access to the document
object inside, which would be necessary for any kind of code injection
or cookie theft.
If a script from site A can replace the contents of a frame within a
document from site B then site A is able to violate the *integrity*
of B's contents. This is unacceptable.
Indeed, a "cuckoo's frame" from A would be (should be) unable to
inject code into documents from site B or steal its cookies. But it could
masquerade as a genuine frame from B and fool the user. Imagine a login
frame on site B being replaced by a visually indistinguishable frame from
site A. You type your password (assuming you are entering it into a form
from B), press enter and boom! your secret password is sent to A!
Do you always check the URL of any frame you interact with? Do you
expect an average user to do that?
And of course, the requirement that A and B 1. use the same protocol and
2. are in the same security zone is snake oil. Ad 1. it is trivial for an
attacker to set up an HTTPS server in order to attack users of another
HTTPS server. Ad 2. there are only four or so different zones in MSIE,
ergo in most cases a "good" site B will share the same zone with a large
number of potential candidates for an "enemy" site A.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Full-Disclosure - We believe in it.