Slashdot Mirror
Spoofing Flaw Resurfaces in Mozilla Browsers
GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.
Oh, damn IE for being so insecure. Wait, this is about an Open Source browser---damn IE for being so insecure!
The number of Firefox vulnerabilities that have been exposed is frightening. But I wonder when the first actual exploit will be found...
Try out fish, the friendly interactive shell.
from TFA:
For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows.
So, uh, what about tabs? 'Cause I never have 2 windows open at the same time.
Your sig(k) has been stolen. There is a puff of smoke!
If I understand correctly, this is like a cross site scripting (XSS) attack? But a malicious web designer can put a master frame with his code, and just put something inside like paypal?
:P). I wonder how Firefox handles multi profiles, and multiple windows...
Interesting. I have a dedicated profile set up specifically for private accessing (yes, I'm paranoid
Type: Spoofing
Exploit: Local
Effects: All browsers
Description:
A 7 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.
The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.
Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.
Solution:
Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.
Unknown host pong.
Recycling old bugs...I have to say that the Mozilla code base is losing some credibility with mistakes like this. Seems like a code audit is called for guys...
The NSA: The only part of the US government that actually listens.
Is the Moz community going to release a fix for Suite?
Welcome to the Panopticon. Used to be a prison, now it's your home.
is it impossible to test new releases against old bugs?
Does the firefox community have any regression testing? They need fully automated test like the linux kernel has now.
This is somewhat of a tough issue...because obviousely you can open up a spoofed page inside of a frame that looks like a legit page. However, there are legit reasons to open up other offsite content in a frame (take a look at ask.com...I believe they leave a frame up top to their site then open another site from there searches).
The best idea would to just get rid of frames completely, they suck.
-dave
http://millionnumbers.com/ - own the number of your dreams
The Debian package of Firefox 1.0.4, with the extension tabbrowser preferences installed isn't, for example. As a result of this extension, the frame isn't injected into the frameset that is being targetted, and is opened in a new tab instead.
It is surprising, though, that a security vulnerability like this goes unnoticed for so long. On the other hand, I very much doubt that anybody has actually used this to exploit users.
www.fearthecow.net
Just one problem - the example "exploit" doesn't work. I press the MSDN link, it opens up in a new tab, press the demonstration link... And nothing happens.
So what do I do wrong?
Saying the bug resurfaced is not completely true. This bug was removed from the old Netscape rendering engine, and reintroduced when replacing it with the new and fancy Gecko rendering engine. Apache also reintroduced a number of bugs when switching from 1.3 to 2.0, I belive. That is one of the many prices you pay when rewriting old code from scratch.
Try out fish, the friendly interactive shell.
It's bad when a vulnerability listed in a few year old Hacking Exposed book scares me. I'd say that it would be a good start to use telnet for web browsing but even the telnet client I was using had a buffer overflow exploit. Le sigh!
Or are they supposed to scrap it all and rewrite from scratch every few years? I sure hope not. Anyone else out remember M13, M14, M15, etc.? *shudder*
- I don't need to go outside, my CRT tan'll do me just fine.
It appears that if you have the Tabbrowser Preferences extension installed, then this exploit doesn't work.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
it's actually nothing to do with malicious code...it's just that someone could make an easy fake site with frames... I'm sure there are some sites that legitimately use this feature with differnt parts of their site hosted on different servers...What's next? Ban sites that use offsite graphics?
"A truly wise man realizes he knows nothing."
Does the Firefox team use any automated testing on the project? Seems like these sort of errors could stay dead, if so.
Software testing automation tools
If you mod me down, I shall become more powerful than you could possibly imagine.
This isn't Microsoft and Windows 2000. Of course they'll release a fix. In the year 2045, they might just tell you to upgrade though, even Open Source has its limits for supporting old software....
Suite will be EOL'ed, but security patches are still being applied.
IIRC 1.x is feature frozen, but still 'active'.
To have such fundamental flaws appear, whether by accident or negligence, is unacceptable.
Furthermore, the browser "industry" and the commercial sector NEED to come up with some guidelines as to how to promote and ensure online security for financial transactions and personal data.
For example, it's almost impossible for the casual or sophisticated user to easily determine whether a frame that appears within a website actually belongs to that website, or another. For example, if you have an online account with MBNA credit card, and make an online purchase, some vendors will display an MBNA authentication page which asks you to login to your online account to verify the purchase.
The problem is that this authentication page appears as a frame within the online vendor. How can you tell whether that frame is a legitimate MBNA page, or just a clever phishing attack? The browser gives no indication as to whether the frame belongs to MBNA or the vendor.
PayPal suffers from the same thing. I hate clicking on the "Make a Donation" button of some sites, and then seeing the PayPal login appear within a frame of the original site. That prevents me from making a donation - with today's complicated scripting invocations and what not, I don't feel trusting enough to type my account info and password into some frame which happens to appear in the middle of some other organization's website.
I can't BELIEVE that MBNA and PayPal would promote such idiotic practices, much less allow them to happen.
I tryed to test this spoof with the instructions from TFA, and I cannot seem to get it to work.
I tryed to open the links in tabs. 1st the MS one, then the Secunia, then the MS one again. Nothing out of the ordinary happened. The MS page showed up like it should, unlike the article said.
I also tryed it with tabs, but still nothing.
This is nothing more than BS spreading FUD.
(I am using Firefox 1.04)
Generally true. But a little clever scripting with IFRAMEs and you can make your AJAX work in older browsers, so they're not totally useless.
-1 Uncomfortable Truth
Even -if- this gets exploited, it doesn't work cross tabs and it doesn't work if you more than one tab open in the window containing the 'trusted' site; at least not on FF 1.04 here on BeOS.
Now, how many FF users still browse with multiple windows and NO tabs? Anyone who found out about it the geeky ways uses tabs, and I should hope that the first thing you show any Joe Idiot how to do when you install FF on the machine you've just (been paid to) de-spyware is use the tabs...
really good about now. Opera is the only browser I am aware of that has all *known* vulnerabilities fixed. Per http://secunia.com/product/4932/
YMMV, but methinks even though I use Ubuntu, I may make the switch to Opera for added security.
I wish I had mod points.
I'd help you on the way to be a +5 Troll (I'd just vote underrated).
While the language is harsh, you are right. Frames do cause problems.
They sound good, but they bring problems with them.
The Internet is full. Go Away!!!
Comment removed based on user account deletion
You mean like "for the originating site only"
Never confuse volume with power.
The bug in IE was reported almost a year ago, and it is still unpatched.
The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.
No, it's malicious code targetting spoofing trusted websites that use frames. No website should be using frames for the trusted portion of their site, IMO. That's bad design, and prone to phishing attacks on their customers.
So why can't we get a plug-in to spoof primidi org (Roland Piquepaille's whore "technology site"), for those who can't edit their host file. Not all spoofing is necessarily bad, you know.
The whole terminology used for web sites belies the myth of a trusted web site.
Web sites are placed on "sacrificial hosts" in a "DMZ". Web sites are not trusted by the people who build them and never have been. If the owner of a web site doesn't trust it, why should you?
A victim would never need to visit an "untrusted" web site, because this defect could be coupled with others (exploit chaining). It's even been done before with other defects, notably Download.ject.
If you mod me down, I shall become more powerful than you could possibly imagine.
Now...take how many bugs have been exposed in Firfox and how many have been exploited.
How many bugs have been exposed in IE and exploited? (Especially because for IE it's almost a 1:1 ratio)
~Ilyanep
To get message, take amount of carrier pigeons at each stage mod 2. Then decode binary.
ever since the article appeared out of the near future, (5-10mins) I've been trying to get it to work, turns out that the tabbrowser extension prevents the exploit from occurring because it rewrites the target attribute
Gravity Sucks
Is this truely a bug?
;)
I tried the exploit with a W2k box that has IE Version 6.0.2800.1106CO with SP1 and several Q### patches installed and it produces the same result.
I see how this could be used as an exploit but is it really a bug? I have written code for a game website which used multiple windows with frames and the information in the frames came from two different web servers. Yeah, I know, it sounds like a web surfing nightmare, but fret not, it was an experiment. But my point is that this may not actually be a bug, and may be an issue to consider when creating a secure website. In other words, as others here have stated, don't use frames!
burnin
The applications don't check whether the frames displayed in a single window all originate from the same Web site.
And they shouldn't check that because often frames do not originate on the same web site (e.g., Google, Hotmail). The problem is if you try to frame something low security inside something high security; the other direction is OK.
What they should check (according to Secunia) is something different: when code attempts to put content into a target, the browser should check whether that code actually created that frame and otherwise refuse.
A simple way of fixing this problem might be to prefix the name of any frame with the host that created it, so that "target=foobar" actually means "target=www.host-of-this-page.com::foobar"; that also helps avoid confusing name conflicts between web sites. But that suffers from the same problem as anything else that relies on host names: you can't tell which ones are supposed to "belong together".
Alternatively, you might require that if any frame in a window uses https, then all of them must, and they all must use the same certificate.
The best solution is probably just to abolish frames altogether; they cause many other problems as well.
A slightly less drastic solution would be to prohibit the display of any https content in a frame.
The problem is not offsite graphics. The problem is controlling one webpage with an offsite webpage. This should never ever ever ever be allowed for obvious reasons. From TFA: "As a result, an attacker could insert content into a frame on a trusted Web site." (read that: "a website can modify the contents of a trusted website".)
There is absolutley no reason anyone should ever use this exploit for legitimate reasons. Yes, I can think of a few times it would be great if one website could help someone fill out another websites forms - but its not neccessary. If someone really wants to do that, they should attain permission and do it via GET or POST vars, or some serverside communication.
A website should still have control over what page is being shown in its frames, but not over the content of those pages directly.
-dave
http://millionnumbers.com/ - own the number of your dreams
The problem is not that different frames can come from different sites. The problem is that one site can change the existing content of a frame that is already being displayed.
So, if you do banking in one window and you then open up a malicious site in another, the malicious site can change the content of a frame in your banking window. That's not "faking", it's something worse.
I can't think of a legitimate use for that "feature" in a real application, and the fact that it didn't use to work suggests that sites aren't relying on it.
Let's hope so. I love it when the competition does most of the field research for me.
The eternal struggle of good vs. evil begins within one's self.
Sorry if I'm misunderstanding you, but I think you have it backward. They're not saying that hack.ru could have a frameset that pointed to a frame with a real ebay page. They're saying that if ebay had a frameset, hack.ru could use javascript to insert itself as one of the frames. That is indeed a security hole -- unless you want to claim that it's one of those extra features that differentiates Firefox from Safari and IE ...
If you had bothered to read the linked demo page you would know that the bug is present in IE and Opera as well.
I just tried it in IE6 (Win2K) and it works just the same as Firefox.
The only problem is that this feature (affecting the frames of one window from another) is actually used a lot, for example when pop-ups are involved. I know of at least one banking application which will break if they flat out disallow changing one frame from within another.
A better solution would be to only allow it for frames sharing the same domain, I suppose.
It is very easy for any page to "get out of a frame," so there is no excuse for web page designers to allow their pages to be framed.
Yeah, right.
"...perhaps Mozilla should just take the lead on this and remove frame support entirely."
As much as I hate frames (oh GOD do I hate frames!), this would be a step back for FireFox and its proponents. One of the largest arguments for using non-IE browsers is compatibility with standards. Frames are in the HTML 4.01 standard, and therefore, removing support would be incredibly hypocritical.
Laziness, check. Impatience, check. Hubris, double check!
As usual there are some people who have to keep repeating the same stupid idea's. ...
Frames CAN be useful e.g. I made a management module a while ago with a javascript tree. If frames didn't exist that would mean the tree would have to be regenerated every time you click on an item. Without frames the app would have been slower and would have used a lot more resources.
Frames (iframes especially) are a great way to create a very dynamic web application without having to reload the whole page and waste bandwidth, processor time,
Or how did you think Gmail checked for new messages every $blah seconds. Other great examples of the use of frames are w3chools' tryit-editor or realtime previews of html used in CMSystems such as mambo
Like most people I greatly dislike websites that use frames form navigation menu etc. However just because something is often misused that doesn't mean we should ditch it altogether (no matter what Jacob fucking Nielsen says).
You see? Another security fault in an open sores program. This is what you get if you don't pay your developers. Opening the source so that everyone can see the flaws is just asking for trouble. I'm going back to IE.
-- Cheers!
I see a differance between IE and Firefox in that most firefox flaws are discovered with theory and unharmfull proof of concept and quickly patched whereas MS doesnt patch any IE hole untill criminals have been activly using it for months, that is why I use Firefox (except when I use my Mac.)
The problem lies in Mozilla naming frames globally and not one name set per tab.
:
:
:
:
If a site in one window has a frameset with "banner" "sidebar" and "main", another window can access that frameset.
A link in that other window with attribute target="main" will replace the content of a frame in another window.
That has nothing to do with being able to create a frameset with contents from heterogeneous locations.
Look at secunia test !
Interesting (somewhat edited) parts are
from secunia
<a href="(msdn)" target="_blank"> (opens a new window with msdn frameset in it)
from msdn frameset
[...]
<FRAME name="fraRightFrame" src="(enter_your_credit_card_number)">
[...]
from secunia
<a href="(thanks_for_your_card_number)" target="fraRightFrame">
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
lol.. Funny how when IE has something similar people point fingers at it saying how evil it is.. But when it happens to Mozilla or FireFox it's either a feature, or it's the users fault.. Oh the hypocracy... It tastes like burning!
They will tell you to upgrade, and you will then have the choice: download and compile the full latest version, or cherry-pick and patch only the bits you really want to patch. Either way, you still need to recompile the app. This will not affect the copy of the application you are already running from memory: only newly-started browser instances will be "secure". I don't think a 10-year uptime is at all unrealistic, especially if you're running FreeBSD.
Je fume. Tu fumes. Nous fûmes!
I click RMB->This Frame->Open Frame In New Tab
As you'd expect this opens the frame in a new tab where you can easily see the URL.
You can also find information about an embedded frame by clicking RBS->This Frame->Frame Info
Fine, but its not bs. If a phisher opens up a frame and starts reading data you type into it, it's a problem. Yeah, an obervant/intelligent/aware individual might notice the address bar doesn't match, but lets not give your average use too much credit.
-dave
http://millionnumbers.com/ - own the number of your dreams
For this to work, 1) http://msdn.microsoft.com/library/default.asp must be open in another window 2) http://msdn.microsoft.com/library/default.asp must be the active tab in that other window i.e. top or visible It will not work if: 1) http://msdn.microsoft.com/library/default.asp is open in another tab in the same window i.e. non-active or hidden 2) any other site with frames is open in the active tab in another window (e.g. http://www.turtle-express.com/) For a successful phishing attack you must: 1) open your bank (or some other imprtant) web page in a new window 2) that web page must use frames 3) you must then switch to another window and surf to the attackers web page 4) the attacker must know which web site is open in the other window in order to spoof a part of it 5) the log-in page is the only non-unique page so even if the attacker gets past 1-4 you must have left the login page in the other window, otherwise yiou would know something has happened because the content would be different!
That is one of the many prices you pay when rewriting old code from scratch
and not having an automated regression test suite.
Thank God that we don't get as many security bugs as I.E., dontcha think?
What about placing a small colored box in the corner of each frame... If a frame's box differs in color from the surrounding frames, this would indicate the frame was on a different domain. That way the developers wouldn't have to worry about breaking the legitimate use of this technique.
What the hell's a "gewie?"
Their test didn't work on my Firefox, it just opened in a whole new tab so it seems Firefox is safe, at least when configured as I have it.
I have new windows open up in tabs instead.
Perhaps my setup could be exploited a different way, I am not sure I am 100% safe, but at least the flaw can be sidestepped in some instances.
Just because it CAN be done, doesn't mean it should!
Gimme 1.00 $ for each website using frames, and 'll never have to work again ...
I try to block as many advertisers as possible, and I wasn't happy to see that slip through...
If you are using the TabBrowser Preference extension for Firefox, the exploit site will just open in a new tab, and the MSDN site will remain unaffected. https://addons.mozilla.org/extensions/moreinfo.php ?id=158&application=firefox
Not only is it "old news", but it's also inaccurate. There's a big difference between spoofing a site, and actually "placing malicious content on trusted web sites". One is a browser attack, the other a server attack.
How about google image search? You have a frameset and one frame belonging to google.com, which most people allow to set cookies, and gmail users allow it a bit more in the way of scripts and such.. and you have a frame showing the page the image you just clicked on in its original context. If that original context had malicious code, and was running with google's security.. perhaps it could do some damage?
Yes, we hear that all the time with the Microsoft products. Here, whenever a disastrous Windows bug allows worms to run riot, or drive-by spyware installs to devastate hundreds of desktops, we always ring Redmond and demand to know the name of the developer who introduced the bug, and what Microsoft plan to do to prevent a similar incident from occurring in the future.
Sometimes, when the guy at the other end of the phone has finished laughing, he tells us that Microsoft expect us to keep on writing them cheques.
Real Daleks don't climb stairs - they level the building.
This sucks!!! It doen't work here either: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
I'm too lazy to check it out...but does it only work on Windows? Or are all platforms affected? Or maybe its because I have the tab extension installed.
It's open source, audit the code yourself you lazy bum!! :)
I concur.
When opening in new tabs, "target" part of a link is ignored, so it won't work.
But you need to consider that secunia test is just an example, a real-life malicious exploit will probably use javascript, probably bypassing that tab setting.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
This just in, putting your picture inside a frame may cause an unfavorable reaction to whoever is looking at it. The results can range from shreeks of horror, to nausea and an look of disdain on the viewers face. The fix is to burn the picture with the frame....
in a follow up with GregThePaladin, he stated that it would really only be likly to exploit this flaw if it were, some one on the inside
"I'm sure there are some sites that legitimately use this feature"
No, there are not. This "feature" is not used because it has not existed for years; ever since it was eradicated from browsers because it's a nasty security hole.
It is actually something to do with malicious code. It is not about making a fake site, it is about letting you navigate to a real site (like your bank), without you ever knowing you are actually doing so in a frame. And it's about that frame containing javascript that is continually scanning the pages you're looking at and reporting stuff (like your password) back to the bad guys.
This is the first time IN MY LIFE that I see a browser add-on INCREASING its security, and not otherwise.
(hypothetical) Secunia advisory
blablablah... bug.
Versions affected: Firefox v1.04 etc....
Workaround: Install the tabbrowser preferences extension.
w00t.
WTF? This sucks more arse than something that sucks a lot of arse! The flaw is not apparent in my installation of Firefox 1.0.4 The frame opens in a new tab, not in the seperate window. The frame does, however, load across windows in IE6.
I tried this in Internet Explorer 6 on a fully-patched Windows XP SP2 machine and get the same result. No idea why Secunia would single out Firefox/Mozilla on this one... Try it yourself
For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.
Gee, do you think?!
Who are these people surfing in multiple windows and tabs to trusted, sort-of-trusted, and untrusted sites simultaneously while doing critical transactions with personal information and finances? We need to know, we need to identify them, we need to prevent them from polluting the gene pool without having their common sense upgraded to "semi-conscious of surroundings" first.
Actually, I've seen people load their machines with cr*pware on "free" pr0n sites all day long and among the many open pop-up windows they've merely reduced to the taskbar, they open another IE session and start doing online banking. It makes me cringe.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Ok, I tried this with FF 1.04 and could not get it to work no matter what I tried. I tried both the using tabs and opening all links in new windows and I could not get it to work. IE, on the other hand, handled the exploit perfectly, thank god. At least I can still count on IE to run the flaw correctly.
Apparently Microsoft still uses frames. Like many things in web design: if you use frames appropriately you can minimize problems. Think in terms of filling a page up with GIF animation. Keep it simple when you use those; otherwise I'll get seasick and puke on my keyboard.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
2) not able to bookmark properly
:-) IE does implement this feature correctly. But the Mozilla developers don't seem inclined to fix it: "Frame State Bookmarking (frameset bookmarks)" bug... (You can vote for this bug if you agree.)
I don't like frames either, but Firefox's inability to properly bookmark sites using frames really irritates me. Because very occasionally, I want to bookmark a webpage which I didn't design myself
You are not concerned by the Cascade of Attention-Deficit Teenagers (CADT), are you?
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
Apocalypse Cancelled, Sorry, No Ticket Refunds
Wow. Another Firefox vulnerability. Tell me, how many companies have either been completely shut down by a massive megaworm and/or have preemptively shut themselves down to stop the spread of destruction from this egregious and terrible flaw?
I'm using Firefox 1.0.4 and it's apparently not vulnerable because the test didn't do anything...
No existe.
I've never understood why they do that anyway. I always end up clicking on the "see image in original size" button anyway and viewing it in a separate window.
They don't put a frame on news articles from Google News, why bother doing it with images?
Google, get RID of the frame!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
And if IE and the other browsers properly supported the "object" tag, you wouldn't need iframes, which are supposed to be superceded by the object tag.
I mucked around with this crap for several weeks a few months ago trying to get a simple form of dynamic page loading done. Can't be done with the lame support for object in most browsers. At first I tried iframes using the JavaScript trick of extracting content from an invisible iframe. Not good enough. Tried object - much cleaner, but not supported properly on all common browsers.
Frames are bad news, iframes are inadequate, and objects aren't supported.
Get on the fucking stick, browser makers! Stop adding bullshit like "voice commands" (Opera) to your browsers until you make the STANDARDS WORK!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
That is indeed a security hole -- unless you want to claim that it's one of those extra features that differentiates Firefox from Safari and IE ...
Except, of course, that it does not differentiate Firefox from IE, as the latest versions *both* have this vulnerability. (Just tested with Firefox 1.0.4 and IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519. Seriously.)
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
Seriously, the problem is that this was (supposed to be) killed in a previous version of the Gecko browsers. It should not have revived itself.
The following browsers are not affected:
* Mozilla Firefox 0.9 and later
* Mozilla 1.7
* Opera 7.52
* Netscape 7.2
* Camino 0.8 (build 2004062308)
Source Secunia
At least in Opera, dead bugs stay dead.
.. paranoid crackpot leftover from the days of Amiga.
This only seems to be for Mozilla/Firefox, but since Epiphany (GNOME's browser) uses the Mozilla/Gecko core, are we Epiphany users also at risk?
Then I wouldn't be able to read the MSDN help, which is an invaluable resource.
Le français vous intéresse?
There are many uses for frames that can increase usability or enhance/ease integration with other systems (that you cannot directly modify for example), particularly inline frames -- if you know what you are doing.
Simply saying frames suck without qualifying further only shows your lack of understanding of appropriate applications of them
Apocalypse Cancelled, Sorry, No Ticket Refunds
It did work on my FF 1.0.4. Took control of the MSDN frame. May be they changed something on the Secunia site now?
Apocalypse Cancelled, Sorry, No Ticket Refunds
"I can think of a few times it would be great if one website could help someone fill out another websites forms"..."If someone really wants to do that, they should attain permission and do it via GET or POST vars, or some serverside communication."
Essentially you can do this already using 3rd party cookies (setting domain=TheOtherSite.com). Of course most savvy Firefox, Opera (and maybe Safari?) users block or whitelist 3rd party cookies due to ads and trackers.
At the moment this 9 month old, and as of yet unpatched, oversight in Firefox/Mozilla let's webmasters pass their own website cookies to any domain (maybe coordinated with advertisers) in the same TLD anyway though.
Has anyone else noticed Firefox 1.x now has 28% to IE's 31% of unpatched vulnerabilities?
Yes, I know I could install the adblock extension or do it through the userchrome.css, but I I'm a bit short of RAM and don't want to put extra load on the browser unnecessarily...
Did anybody else try the test from TFA? I tried it in my firefox and the 'flaw' doesn't exist! If the vulnerability exists in other users firefoxes perhaps it's something to do with the TabMix plugin (opens new windows in tabs instead) which breaks the vulnerability??
Time is an illusion. Lunchtime doubly so. - Douglas Adams
3) "Back" is ambiguous about whether you want to back up within the frame or back up from the main frame...
4) poorly designed frames make assumptions about the screen size or text size of the browser, making some portion of the text unviewable because it exceeds the width or height of the frame (think people using larger text sizes due to vision issues)
Even more annoying are the frames pages that gratuitously force the main frame to be loaded if you try to look at only the frame..... or people who try to disable right clicking with javascript...
Final 2006 "Proof of Global Warming" US Hurricane Count -> 0