frame.spoof.txt
0607ed5c7567bc7f2d7a0270a2802f8203454298ff7fe4a1e8fa5fe52cbf31a0
Date: Thu, 18 Feb 1999 10:36:49 PST
From: Robert Thomas <offerrob@HOTMAIL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator window spoofing bug
-Junk deleted-
This was reported back in the November, December time frame by
secureexperts.com as a frame spoof bug. MS came up with a lame patch
for IE (that didn't work for all cases BTW). The solution to this was
provided to a US Government Agency by a contractor. The agency has a
high public trust and visibility and this was a concern. Any questions
can be addressed to krawls@erols.com. The consultant came up with the
following:
On the page being called up in the window i.e. the page
to be protected should contain the following (frames or not):
<SCRIPT LANGUAGE="JavaScript">
<!--
checkMyFramesMulti();
function ErrorHandler(errorMessage,url,line)
{
spoofDetected(" Error message: "+
errorMessage+
"\n Line number: "+
line, "TOP", url);
return true;
}
onerror = ErrorHandler;
function checkMyFramesMulti()
{
checkMyFrames();
setTimeout("checkMyFramesMulti()", 15000);
}
function checkMe()
{
setTimeout("checkMyFrames()", 3000);
}
function checkMyFrames()
{
var browsername = navigator.appName;
var browserversion = parseInt(navigator.appVersion);
var itsok;
var frameUrl;
var numFrames;
var i;
if( (browsername == "Netscape") && (browserversion >= 3) )
{
if( self.opener != null )
spoofDetected(" OPENER NOT NULL!!", "TOP", "self.opener");
}
frameUrl = location.href;
itsok = urlOk(frameUrl);
if( itsok.indexOf("false") == 0 )
spoofDetected(" Top is bad!!", "TOP", frameUrl);
numFrames = self.frames.length;
for( i = 0; i < numFrames; i++ )
{
frameUrl = self.frames[i].location.href;
itsok = urlOk(frameUrl);
if( itsok.indexOf("false") == 0 )
spoofDetected(" This frame is bad!!", i, frameUrl);
}
}
function urlOk(frameUrl)
{
var thismany = parseInt(getAuthInfoNum());
var itsok = "false";
var Url;
var i;
for( i = 0; i < thismany; i++)
{
Url = getAuthInfo(i);
if(frameUrl.indexOf(Url) == 0)
itsok = "true";
}
return itsok;
}
function spoofDetected(msg, frm, theUrl)
{
var browsername = navigator.appName;
var browserversion = parseInt(navigator.appVersion);
if( (browsername == "Netscape") && (browserversion >= 3) )
{
if( self.opener != null )
self.opener = null;
}
// spoofpage.html is an error page that gets pulled up on
// detection of an error.
top.location.href = "spoofpage.html";
}
function getAuthInfo(whichone) {
var legalUrls = new
Array('http://www.agency.gov','http://www.agency.gov/left.html','http://www.agency.gov/top.html','http://www.agency.gov/main.ht
ml');
return legalUrls[whichone];
}
function getAuthInfoNum() {
return 4;
}
// -->
</SCRIPT>
In the framed page add the onUnload command:
<BODY BGCOLOR="#FFFFFF" onUnload="parent.checkMe()">