[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Vulnerability in Netscape & Microsoft Web browsers
From:       Paul Shields <shields () PASSPORT ! CA>
Date:       1998-11-19 21:46:57
[Download RAW message or body]

Richard Reiner reports,
[...]
>    Full details, and HTML-based and Javascript-based demos, can be found at
>    http://www.securexpert.com .

Richard didn't disclose details on how webmasters can prevent their sites from being
used as unwitting accomplices to this attack.  So here goes...

It appears that the attacker needs to guess the name of the target frame, which for
static pages is trivial. If this is true, then dynamically generated HTML can defeat the
attack at the host side, by generating an address- or session-based frame name that is
unguessable by the attacker.

To do this, modify the frame name to use the hash of a secret appended to the remote's
IP address:

    frame_name = original_name + SHA1( browser_IP_address + secret);


cheers,

--
Paul Shields, mailto:shields@custodians.com

Custodian Software Inc. 962 Bloor Street West Toronto, Ontario M6H 1L6
Tel: +1 416 537-0015   Fax: +1 416 536-5793

[prev in list] [next in list] [prev in thread] [next in thread]