Who framed Internet Explorer

by Volker Weber

We discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone).

More >

To give you a little demonstation what an iframe is, look at your files on my website. If this window is empty, you are not using Internet Explorer 5 (and "better"):

2002-09-10 :: email :: bookmark :: digg

Comments

Daß mir mein Browser meine Daten anzeigt ist erstmal kein Problem für mich, insoweit ist dieses Script erstmal nichts wildes. Allerdings sollte man das die Option "Programme und Dateien in einem Iframe starten" tatsächlich deaktivieren, um einen blinden Scriptaufruf in den iframe hinein von der externen Domäne zu verhindern.

Jens

Jens, 2002-09-12 20:18

Post a comment











Shall I remember this for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.



Recent comments

Lennard Timm on Password not appropriate at 14:37
Adalbert Duda on Password not appropriate at 14:03
Roger Schwarz on Synchronizing iPhone with ... Lotus Notes at 13:57
Ben Rose on Put a Porsche in your driveway at 13:31
Ben Rose on Put a Porsche in your driveway at 13:22
Ben Rose on Zones at 13:10
Nick Daisley on Put a Porsche in your driveway at 13:03
Ben Rose on Put a Porsche in your driveway at 12:50
Karsten Lehmann on Tweet of the day at 12:31
Andreas Gruen on Department of Homeland Security launches Electronic System for Travel Authorization at 12:26
Johannes Matzke on Put a Porsche in your driveway at 09:50
Jan-Piet Mens on Department of Homeland Security launches Electronic System for Travel Authorization at 08:30
Henrik Heigl on Put a Porsche in your driveway at 08:16
Simon Phipps on Department of Homeland Security launches Electronic System for Travel Authorization at 03:33
Colin Williams on Tweet of the day at 02:23
Volker Weber on Tweet of the day at 01:28
Konstantin Klein on Ich verstehe es auch nicht at 01:21
Karsten Lehmann on Tweet of the day at 00:36
Andreas Grün on Tweet of the day at 23:32
Volker Weber on Tweet of the day at 23:31
Andreas Grün on Tweet of the day at 23:26
Volker Weber on Department of Homeland Security launches Electronic System for Travel Authorization at 23:25
Andreas Grün on Department of Homeland Security launches Electronic System for Travel Authorization at 23:11
Ole Saalmann on Department of Homeland Security launches Electronic System for Travel Authorization at 20:09
Kevin Mort on Zones at 19:19

Ceci n'est pas un blog

vowe.net is a personal website published by Volker Weber a.k.a. vowe. I am an author, consultant and systems architect based in Darmstadt, Germany.

rss Click here to subscribe

Hello

About me
Contact
Publications
Certificates
Frequently asked questions

Twitter Updates

More >

Poll

Can you bring a camera phone to work?

Getting poll results. Please wait...

Local time is 15:30

visitors.gif
187 visitors online

News

Other sources of news, imported into my own format to make them more accessible:

Heise Online
Schlagzeilen
Weather

Archives

As most of my articles roll off the front page rather quickly, I am making an archive of previous posts available here. You can also use the handy search box at the top of the page if you are looking for something particular.

Last 30 days
More archives

Got the T-shirt?

Got the T-shirt?
Are you buying from the US?

Systems Architecture

This site runs on an Apache web server on top of the Linux operating system. The content is managed with MovableType which is implemented in Perl. Last but not least the HTML code your browser sees is put together with PHP.

© 1992-2008 Volker Weber.
All Rights Reserved.

Impressum