HTML Frames Considered Harmful

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

CSS

[Joe+the+Lesser]

My IT professors beat into my brain that all formatting that even remotely resembles frames should be done with CSS(Cascading Style Sheets) positioning.

Re:CSS

[bofkentucky]

or tags to include staticly generated content without aditional load on the server.

Re:CSS

[The+Mayor]

In addition to using the tag, which is available only to IE users, you can also use tags and issuing requests to a hidden iframe that posts the results back to the parent window. Using the div tag approach, of course, still requires an iframe, but at least it's cross platform.

Re:CSS

[bofkentucky]

Actually it is the reverse, NS7 and Moz1.8a1 render the object tag, which is valid HTML4.0 strict/XHTML1.0 strict perfectly

NS4.80 does what it should when you can't render an object, render the content that the object surrounds

IE6sp1 fails to render the object or the alternative, see for yourself here.

Didn't work on me

[MachDelta]

Meh, didn't work on me. I've got Firefox set up to open links in new tabs, so all that happened was the supposed "frame" from Secunia appeared in its own tab. The only way for a link to open within an existing tab is if A) I tell it so, and B) it originates from the same tab. So nyeh!

Re:Didn't work on me

[TulioSerpio]

The site says Firefox 0.9 is not affected.

Wasted time.

[BrookHarty]

I'm sitting here trying to get this to work on IE, Mozilla and Firefox then I read the bottom of the page.


The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux


All my browsers are allready patched! Even IE was patched.

Re:Wasted time.

[stienman]

It worked on my Mozilla 1.7
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514

-Adam

IE with proper security settings not affected.

[bentfork]

This is the same problem that is being exploited by banner ads setting cookies across domains.

If you go to security settings in IE ( I've checked IE 6.x ) click custom level, and set "Navigate sub-frames across different domains" to prompt. You will get a nice little pop up warning.

Now I can visit unsafe websites like microsoft.con

Fixed in Mozilla 1.7 and Firefox 0.9

[jesser]

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

Mozilla (bugzilla.mozilla.org 246448) Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17. Opera (bugs.opera.com 145283) No response. Microsoft On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

This may be exploited and is a real threat

[aWalrus]

Although it's true that this is "working as designed", it does present an interesting exploit scenario. Let's assume you visit evilguy's site, supposed to be a financial portal. From there, a list of links direct you to the (framed) pages of banks where you can run your operations.

Now, evilguy's site has javascript code running that will detect when one of the interesting frames is available (frames that contain login info). It means that you're trying to log into your account at one of the bank sites. What it does is serve you a facsimile that looks exactly like the original login screen, except this one sends the info to evilguy's site.

When your login info is in evilguy's database, he just sends it to the bank and replaces the frame again with the content the bank returned. Voila! Successfully executed framejacking to invisibly steal your login info.

This might be serious.

Re:This may be exploited and is a real threat

yay man in the middle attacks! good point, poster.

Tabbed Browsing

I just checked - indeed - works in Netscape 7.1 and doesn't in Firefox 0.9.1. However, it doesn't work anymore in Netscape if you open the page as a tab instead of another window. Somehow tabs don't work very well with frame names, at least in Netscape.
It's actually implementation issue - for most browsers - letting other pages swap frames in framesets that don't belong to them. Whoever said that frames don't have owners - it's not quite true - frames are hierarchical to some degree, so it's not so difficult to figure out - see Firefox if you need a proof.

Re:"discovery" after fix!?

[jesser]

Several security holes have been fixed since Mozilla 1.4, including an arbitrary code execution hole. Please upgrade to Mozilla 1.7 or Firefox 0.9.

Security holes are discovered and fixed in web browsers often. To be safe with any browser, you should upgrade when a new version is released, regardless of whether the release is accompanied by a security advisory regarding older versions.

Re:Not a bug, a feature

[Matthew+Weigel]

Parent window? Child window?

Different windows. Open a new copy of your browser, doesn't matter how...

This is a vulnerability because no matter how separate the user tries to keep two windows (for instance, using a bookmark to open ImportantBanking.com rather than clicking on a link to ImportantBanking.com from an untrusted external website), an untrusted external website can change the content in a frame of the ImportantBanking.com window.

Re:"discovery" after fix!?

[jesser]

I thought Mozilla [1.4.x] was the "supported" version that recieved security updates?

It was, until Mozilla 1.7 was released. Mozilla 1.7 is the new stable branch. Don't expect more 1.4.x releases.

Re:Frames are evil, anyway

[lphuberdeau]

Depends on what the scope is, and you don't need to load everything in the first place anyway.

I'll just use an example from Frank Boumphrey (Source: http://conf.phpquebec.org/main.php/en/cdrom2004/se ssion#3), this system was used for an hospital, only the local/frequent zip codes were sent to the client in the first place. Once again, this was for an internal application, but it can really apply anywhere.

If sending the entire list is not an option, it's still possible to get the page to go fetch the information directly using Mozilla's XMLHttpRequest class or IE's HTTPREQUEST ActiveX component. (Well explained here: http://www.phppatterns.com/index.php/article/artic leview/82/1/2/).

Those features are quite obscur but have been around for quite a while now (years). Most browsers actually support it. And for the other ones, they can still type the entire thing.

I hope these details answered your questions.