[35529] in bugtraq
SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Tue Jun 29 14:16:04 2004
Message-Id: <200406291422.i5TEMKHP032064@web117.megawebservers.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 29 Jun 2004 14:22:20 -0000
From: "http-equiv@excite.com" <1@malware.com>
Cc: <NTBugtraq@listserv.ntbugtraq.com>
Reply-To: 1@malware.com
> On the subject of IE bugs, I am running SP2 RC2,
IE6.0.2900.2149 today I
> opened a window
> http://www.asus.com/products/server/srv-mb/ncch-dl/overview.htm
> In another IE window I had www.ingrammicro.com/uk open
>
> Whe I click on the picture of the motherboard in the first
page to enlarge
> it, it changes the ingrammicro page to have the picture of the
motherboard
> in it but still displays the ingrammicro page title in the
browser bar, and
> the top "frame" of the ingrammicro page....
>
> Weird one, I don’t know if it is restricted to this build of
IE though
> HTH
> Mark
isclosure-charter.html
This is unbelieveable. Super Spoof DeLuxe ! Simply knowing the
frame name of the target site we can modify the asus.com crazy
code and inject whatever we want into the target site.
Here's a quick and dirty demo injecting malware.com into
windowsupdate.microsoft.com :)
http://www.malware.com/targutted.html
- using window.open most popup blockers will block it, disable
for the demo or recode with just open() or something else which
can defeat them
- this demo hinges on the site code frame name being in english
for the demo url of windowsupdate.com
-you need to time the loading of the target site before injecting
- quick testing from google frame + bank, yields banking sites
using frames where it too works
exact reason or code in asus.com not examined at this time.
Well done Mark. A recording setting lunker.
--
http://www.malware.com
