Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Internet Explorer Cross Frame Scripting Restriction Bypass

Feb 27, 2004 6:25AM PST

Critical:
Less critical
Impact: Security Bypass
Exposure of sensitive information

Where: From remote



Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6




Description:
iDEFENSE has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to bypass certain frame scripting restrictions.

The vulnerability is caused due to an access validation error within the event handling routines. This makes it possible for script code in a frame associated with one domain to interact with certain events like keystrokes typed in a frame associated with a different domain.

Successful exploitation potentially allows capturing sensitive information like user credentials or credit card information typed in a frame associated with another site, if a user is tricked into following a link.

Solution:
Microsoft has reportedly not categorised this as a vulnerability, but will address it in a future service pack.

Microsoft advises users to follow best practises when browsing:
http://www.microsoft.com/security/incident/spoof.asp

http://secunia.com/advisories/10996/

Discussion is locked