frame.spoof.txt

1999-08-17T00:00:00
ID PACKETSTORM:17908
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Thu, 18 Feb 1999 10:36:49 PST  
From: Robert Thomas <offerrob@HOTMAIL.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator window spoofing bug  
  
-Junk deleted-  
  
This was reported back in the November, December time frame by  
secureexperts.com as a frame spoof bug. MS came up with a lame patch  
for IE (that didn't work for all cases BTW). The solution to this was  
provided to a US Government Agency by a contractor. The agency has a  
high public trust and visibility and this was a concern. Any questions  
can be addressed to krawls@erols.com. The consultant came up with the  
following:  
  
On the page being called up in the window i.e. the page  
to be protected should contain the following (frames or not):  
  
  
<SCRIPT LANGUAGE="JavaScript">  
  
<!--  
  
checkMyFramesMulti();  
  
function ErrorHandler(errorMessage,url,line)  
{  
spoofDetected(" Error message: "+  
errorMessage+  
"\n Line number: "+  
line, "TOP", url);  
return true;  
}  
  
onerror = ErrorHandler;  
  
function checkMyFramesMulti()  
{  
checkMyFrames();  
setTimeout("checkMyFramesMulti()", 15000);  
  
}  
  
function checkMe()  
{  
setTimeout("checkMyFrames()", 3000);  
  
}  
  
function checkMyFrames()  
{  
var browsername = navigator.appName;  
var browserversion = parseInt(navigator.appVersion);  
var itsok;  
var frameUrl;  
var numFrames;  
var i;  
  
if( (browsername == "Netscape") && (browserversion >= 3) )  
{  
if( self.opener != null )  
spoofDetected(" OPENER NOT NULL!!", "TOP", "self.opener");  
}  
  
  
frameUrl = location.href;  
itsok = urlOk(frameUrl);  
if( itsok.indexOf("false") == 0 )  
spoofDetected(" Top is bad!!", "TOP", frameUrl);  
  
numFrames = self.frames.length;  
  
for( i = 0; i < numFrames; i++ )  
{  
frameUrl = self.frames[i].location.href;  
itsok = urlOk(frameUrl);  
if( itsok.indexOf("false") == 0 )  
spoofDetected(" This frame is bad!!", i, frameUrl);  
}  
  
  
}  
  
function urlOk(frameUrl)  
{  
var thismany = parseInt(getAuthInfoNum());  
var itsok = "false";  
var Url;  
var i;  
for( i = 0; i < thismany; i++)  
{  
Url = getAuthInfo(i);  
if(frameUrl.indexOf(Url) == 0)  
itsok = "true";  
}  
return itsok;  
}  
  
function spoofDetected(msg, frm, theUrl)  
{  
var browsername = navigator.appName;  
var browserversion = parseInt(navigator.appVersion);  
  
if( (browsername == "Netscape") && (browserversion >= 3) )  
{  
if( self.opener != null )  
self.opener = null;  
}  
// spoofpage.html is an error page that gets pulled up on  
// detection of an error.  
  
top.location.href = "spoofpage.html";  
  
}  
  
function getAuthInfo(whichone) {  
var legalUrls = new  
Array('http://www.agency.gov','http://www.agency.gov/left.html','http://www.agency.gov/top.html','http://www.agency.gov/main.ht  
ml');  
return legalUrls[whichone];  
}  
  
function getAuthInfoNum() {  
return 4;  
}  
// -->  
  
</SCRIPT>  
  
  
  
In the framed page add the onUnload command:  
  
<BODY BGCOLOR="#FFFFFF" onUnload="parent.checkMe()">  
  
`