Frame Injection vuln affects all browsers

Antony · 2004/07/05

(not sure if this should be posted here.)

According to Secunia, an old vulnerability was discovered in many modern browsers, allowing malicious people to spoof the content of websites. The affected browsers include Safari, Konqueror, Opera, MSIE, and all Mozilla (Gecko-based) browsers.

The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.
Click to expand...

You can test your browser with this detailed instructions.

> More information: Multiple Browsers Frame Injection Vulnerability
Internet Explorer Frame Injection Vulnerability

I do not know if there's any fixes available, however, you can safeguard yourself by checking the Page Info from context menu or View menu and check the child-window (frame)'s actual URL.

Hugh Jarss · 2004/07/05

Hi Antony

it's actually in another thread over here but hiding pretty well - try post#39

as it affects just about all browsers, not Moz/NN specific, perhaps prepare to move!

thing is, how easy is it to nail the problem?

with IE, you simply turn off the "Navigate Sub-Frames across domains" option

if there's a similar way to nobble that "feature" in Netscape/Moz (or indeed any browser whatsoever) it would be highly useful if someone could give clear directions how to do it - regret I cannot answer either how, or indeed whether it can be done for Moz/NN - this computer isn't powerful enough for me to run them

the ability to put sites into security zones helps a lot

best wishes, HJ

Antony · 2004/07/05

Thanks HJ,

A SillyDog701 user reported Mozilla 1.7 on SuSE Linux is not affected.
Mozilla Firefox 0.91 and Mozilla 1.7 are not affected.

GPaDavis · 2004/07/05

Using Mozilla 1.7, WXp Home

Mozilla 1.7 w/windows Xp home seems not to be vulnerable. At least I couldn't find any "injection ".

Bob

Ramona · 2004/07/05

Hi Antony,

Thanks very much for alerting us to this vulnerability. I find that Netscape 7.1 is indeed vulnerable, however, Mozilla 1.7 passed the test with flying colors, as did Firefox 0.9.1.

Ramona

Westside · 2004/07/05

Everything else I tested is vulnerable, from earlier Netscapes, and Mozilla through 1.6. I was told that even 1.7RC3 is vulnerable.

HeyJeff · 2004/07/06

Firefox 0.9.1 passed for me, but Opera 7.51 failed.

Westside · 2004/07/06

Hugh Jarss said:

Hi Antony

it's actually in another thread over here but hiding pretty well - try post#39

as it affects just about all browsers, not Moz/NN specific, perhaps prepare to move!

thing is, how easy is it to nail the problem?

with IE, you simply turn off the "Navigate Sub-Frames across domains" option

if there's a similar way to nobble that "feature" in Netscape/Moz (or indeed any browser whatsoever) it would be highly useful if someone could give clear directions how to do it - regret I cannot answer either how, or indeed whether it can be done for Moz/NN - this computer isn't powerful enough for me to run them

the ability to put sites into security zones helps a lot

best wishes, HJ
Click to expand...

I verified this, and you are correct. IE6, and AOL9.0 are no longer vulnerable.

Log in or Sign up

Frame Injection vuln affects all browsers

Antony Inactive Thread Starter

Hugh Jarss Inactive

Antony Inactive Thread Starter

GPaDavis Inactive

Ramona Geek Member Alumni

Westside Inactive Alumni

HeyJeff Well-Known Member

Westside Inactive Alumni

Share This Page

Log in or Sign up

Frame Injection vuln affects all browsers

Antony Inactive Thread Starter

Hugh Jarss Inactive

Antony Inactive Thread Starter

GPaDavis Inactive

Ramona Geek Member Alumni

Westside Inactive Alumni

HeyJeff Well-Known Member

Westside Inactive Alumni

Share This Page

Useful Searches