• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Mozilla Cross-Domain Frame Loading Vulnerability

Mozilla and its derivatives are reported prone to a cross-domain frame loading vulnerability. It is reported that if the name of a frame rendered in a target site is known, then an attacker may potentially render arbitrary HTML in the frame of the target site.

An attacker may exploit this vulnerability to spoof an interface of a trusted web site. To exploit this vulnerability a victim will need to visit a website hosted by an attacker. The attackers site will then spawn a trusted site in a window, if exploited successfully; the attackers site will place data into the IFRAME of the trusted site. This vulnerability may aid in Phishing style attacks.

Mozilla prior to 1.7, Mozilla Firebird 0.7, Mozilla Firefox prior to 0.9, Mozilla Thunderbird prior to 0.7, and Netscape 7.1 are all reported vulnerable.

Update (June 6, 2005): It has been reported that this vulnerability has been reintroduced in Mozilla Browser 1.7.8, Mozilla Firefox 1.0.4 and Mozilla Camino 0.8.4.

K-Meleon 0.9 and 0.8.2 are reportedly vulnerable to this issue as well.