[8613] in bugtraq
Re: Vulnerability in Netscape & Microsoft Web browsers
daemon@ATHENA.MIT.EDU (Paul Shields)
Fri Nov 20 14:30:43 1998
Date: Thu, 19 Nov 1998 16:46:57 -0500
Reply-To: Paul Shields <shields@PASSPORT.CA>
From: Paul Shields <shields@PASSPORT.CA>
To: BUGTRAQ@NETSPACE.ORG
Richard Reiner reports,
[...]
> Full details, and HTML-based and Javascript-based demos, can be found at
> http://www.securexpert.com .
Richard didn't disclose details on how webmasters can prevent their sites from being
used as unwitting accomplices to this attack. So here goes...
It appears that the attacker needs to guess the name of the target frame, which for
static pages is trivial. If this is true, then dynamically generated HTML can defeat the
attack at the host side, by generating an address- or session-based frame name that is
unguessable by the attacker.
To do this, modify the frame name to use the hash of a secret appended to the remote's
IP address:
frame_name = original_name + SHA1( browser_IP_address + secret);
cheers,
--
Paul Shields, mailto:shields@custodians.com
Custodian Software Inc. 962 Bloor Street West Toronto, Ontario M6H 1L6
Tel: +1 416 537-0015 Fax: +1 416 536-5793
