Freely subscribe to our NEWSLETTER

SYNTHESIS

An attacker can use an IFRAME in order to force the victim to do
an unwanted operation.

Gravity: 2/4

Consequences: user access/rights

Provenance: internet server

Means of attack: 1 proof of concept

Ability of attacker: specialist (3/4)

Confidence: multiples sources (3/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 30/09/2008

IMPACTED PRODUCTS

– Microsoft Internet Explorer
– Mozilla Firefox
– Mozilla SeaMonkey
– Opera

DESCRIPTION

The IFRAME tag of the HTML language can be used to include a page
inside the current document.

An attack, named ClickJacking, was announced about IFRAMEs:

– It is assumed that the victim recently visited http://site1/,
and has an authentication cookie still active.

– The attacker creates the http://site2/ web site whose HTML page
contains an IFRAME to http://site1/. This web page uses CSS
(DHTML) to place objects behind the IFRAME of site1, in order
to spoof its contents, but without hiding buttons/links. Most
displayed information thus come from site2, whereas
buttons/links come from site1.

– The attacker invites the victim to see site2.

– The victim believes to be seeing only site2. However, if the
victim clicks on the buttons/links, the actions are carried out
on site1. If the site1 is the web interface to administer a
firewall, these buttons/links can add permissive rules.

Other attack variants can be achieved with Adobe software.

An attacker can use an IFRAME in order to force the victim to do
an unwanted operation on a trusted web site.

CHARACTERISTICS

Identifiers: VIGILANCE-VUL-8136
http://vigilance.aql.fr/vulnerability/8136