Fwd: Frame Spoofing

Kevin W. Bishop bishopk at rpi.edu
Tue Dec 8 12:59:50 EST 1998 

Yet another reason to avoid using frames?  

This was fwd'd to me by a colleague reading a web-based courseware
development discussion list.  The linked articles explain the "spoofing" in
greater depth and one includes a demonstration (with disclaimers).  Hm.
While the discoverers of the bug have a work-around *for sale*, at least
they also offer a couple of (high-maintenance?) markup solutions.  

Users beware.
-kb


>>Subject:      Frame Spoofing
>>To: WWWDEV at hermes.csd.unb.ca
>>
>>"Web Sites Using Frames Vulnerable to New Spoofing Attack -
>>
>>This very serious problem affects even the biggest and best
>>known Web sites. A simple hack can apparently cause any Web
>>site that uses frames to display anything the hacker chooses
>>or cause a site to display a form which, if filled in, would send
>>information back to the attacker. SecureXpert Labs found the
>>problem, dubbed the "Frame Spoofing" vulnerability (FSV), and
>>demonstrated it by hacking the New York Stock Exchange Web
>>site. Due to the way Web browsers handle frame content,
>>attackers who know the URL of a frame on your Web page can
>>insert false information into that frame when it is presented to
>>a user. Tasty Bits from the Technology Front (TBTF) offers a
>>workaround but it's not pretty (don't use static frame names).
>>You'll find a threaded discussion of the issue on Bugtraq.
>>Webmasters at high profile Web sites can bet that somebody
>>will try to use this against them."
>>
>>FSV: http://www.securexpert.com/framespoof/index.html
>>TBTF: http://tbtf.com/archive/11-17-98.html#s02
>>Bugtraq: http://geek-girl.com/bugtraq/1998_4/0475.html
>


____________________________________________

Kevin W. Bishop                              
Campus-Wide Information System Coordinator
Libraries and Information Services
Rensselaer Polytechnic Institute             
110 8th St. Troy, NY, 12180-3590    
(518) 276-8332   Fax  276-8559
<bishopk at rpi.edu>
<http://www.rpi.edu/rpinfo>
____________________________________________

More information about the Web4lib mailing list