IE 5 Subject to Frame Spoofing
Reported November 30, 1999 by
Georgi Guninski
VERSIONS AFFECTED
  • Internet Explorer 5.0

DESCRIPTION

Internet Explorer 5.0 under Windows 95 (guess other versions are affected) with its default security settings allows frame spoofing. The problem is setting the location of a frame to an arbitrary URL without updating the address bar.

This vulnerability allows misleading the user he is browsing a trusted site, while in fact he may be browsing a hostile site which might be stealing information.


DEMONSTRATION

<SCRIPT>
b=window.open("http://www.citybank.com");
function g()
\{
b.frames\[2\].location="http://www.yahoo.com";
\}
setTimeout("g()",6000);
</SCRIPT>

A live demonstration is available at http://www.nat.bg/~joro/msfrspoof.html

DEFENSE

Adjust the security settings of IE. In particular, set the "Navigate sub-frames across different domains" security option (under Tools, Internet Options, Security) to Disable

VENDOR RESPONSE

Microsoft is aware of this matter but has issued no response to date.

CREDITS
Discovered by
Georgi Guninski