IE 5 Subject to Frame Spoofing Reported November 30, 1999 by Georgi Guninski
Internet Explorer 5.0 under Windows 95 (guess other versions are affected) with its default security settings allows frame spoofing. The problem is setting the location of a frame to an arbitrary URL without updating the address bar. This vulnerability allows misleading the user he is
browsing a trusted site, while in fact he may be browsing a hostile site which might be
stealing information. <SCRIPT> A live demonstration is available at http://www.nat.bg/~joro/msfrspoof.html DEFENSE Adjust the security settings of IE. In particular, set the "Navigate sub-frames across different domains" security option (under Tools, Internet Options, Security) to Disable VENDOR RESPONSE Microsoft is aware of this matter but has issued no response to date.
Discovered by Georgi Guninski |
IE 5.0 Subject to Frame Spoofing - 29 Nov 1999
0 comments
Hide comments