Date: Thu, 18 Feb 1999 10:36:49 PST
From: Robert Thomas <offerrob@HOTMAIL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator window spoofing bug

-Junk deleted-

This was reported back in the November, December time frame by
secureexperts.com as a frame spoof bug.  MS came up with a lame patch
for IE (that didn't work for all cases BTW).  The solution to this was
provided to a US Government Agency by a contractor.  The agency has a
high public trust and visibility and this was a concern.  Any questions
can be addressed to krawls@erols.com.  The consultant came up with the
following:

On the page being called up in the window i.e. the page
to be protected should contain the following (frames or not):


<SCRIPT LANGUAGE="JavaScript">

<!--

checkMyFramesMulti();

function ErrorHandler(errorMessage,url,line)
{
  spoofDetected("  Error message: "+
         errorMessage+
        "\n  Line number: "+
         line, "TOP", url);
  return true;
}

onerror = ErrorHandler;

function checkMyFramesMulti()
{
  checkMyFrames();
  setTimeout("checkMyFramesMulti()", 15000);

}

function checkMe()
{
  setTimeout("checkMyFrames()", 3000);

}

function checkMyFrames()
{
  var browsername = navigator.appName;
  var browserversion = parseInt(navigator.appVersion);
  var itsok;
  var frameUrl;
  var numFrames;
  var i;

  if( (browsername == "Netscape") && (browserversion >= 3) )
  {
    if( self.opener != null )
      spoofDetected(" OPENER NOT NULL!!", "TOP", "self.opener");
  }


  frameUrl = location.href;
  itsok = urlOk(frameUrl);
  if(  itsok.indexOf("false") == 0 )
       spoofDetected(" Top is bad!!", "TOP", frameUrl);

  numFrames = self.frames.length;

  for( i = 0; i < numFrames; i++ )
  {
     frameUrl = self.frames[i].location.href;
     itsok = urlOk(frameUrl);
     if(  itsok.indexOf("false") == 0 )
        spoofDetected(" This frame is bad!!", i, frameUrl);
  }


}

function urlOk(frameUrl)
{
  var thismany = parseInt(getAuthInfoNum());
  var itsok = "false";
  var Url;
  var i;
  for( i = 0; i < thismany; i++)
  {
    Url = getAuthInfo(i);
    if(frameUrl.indexOf(Url) == 0)
        itsok = "true";
  }
  return itsok;
}

function spoofDetected(msg, frm, theUrl)
{
  var browsername = navigator.appName;
  var browserversion = parseInt(navigator.appVersion);

  if( (browsername == "Netscape") && (browserversion >= 3) )
  {
    if( self.opener != null )
      self.opener = null;
  }
  // spoofpage.html is an error page that gets pulled up on
  // detection of an error.

  top.location.href = "spoofpage.html";

}

 function getAuthInfo(whichone) {
 var legalUrls = new
Array('http://www.agency.gov','http://www.agency.gov/left.html','http://www.agency.gov/top.html','http://www.agency.gov/main.ht
ml');
 return legalUrls[whichone];
 }

 function getAuthInfoNum() {
  return 4;
 }
// -->

</SCRIPT>



In the framed page add the onUnload command:

<BODY BGCOLOR="#FFFFFF" onUnload="parent.checkMe()">