Frame spoofing does work with OWB 3.27 (Fixed in 3.28)

	Bottom Previous Topic Next Topic
Register To Post

ZeroG

Posted on: 2010/5/23 9:29 #1

Not too shy to talk

http://www.h-online.com/security/serv ... g-with-Frames-758077.html

Is that something that must be fixed in the webkit engine, or is it something that should be fixed in the OS4.x port of OWB?

EDIT:
Fixed in OWB 3.28

Edited by ZeroG on 2010/6/3 7:55:14

ChrisH

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/23 10:07 #2

Home away from home

@ZeroG
What are you talking about? OWB v3.27 passed the test here (as I would have expected since it is based upon WebKit which is used by Google Chrome, Safari, etc).

Author of the PortablE programming language.

fingus

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/23 12:44 #3

Just popping in

OWB 3.27 failed here. Spoofing works perfectly

ZeroG

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/23 14:41 #4

Not too shy to talk

@ChrisH

It does work here:

http://www.amigans.net/modules/myalbum/photo.php?lid=290

K-L

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/23 15:51 #5

Just can't stay away

@Thread

Well, even if English is not my native language, it seems that the test fails since you should read carefully what it is written :

You are vulnerable...

if this page is displayed in the context of another site and/or the address bar of your browser shows that site's URL. If you see it in a separate window with a URL from The H, you can ignore this message.

We could insert any content here. Attackers could create a page with the look and feel of the original page and ask for private information such as passwords, PINs and so on. All such data entered here could be transmitted to the attackers.

So yes, we are vulnerable since anything could have been written in the frame.

We normally shoud have had a new window opened without the first one being modified.

--
AmigaONE X1000 and Radeon RX 560

ChrisH

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/23 17:47 #6

Home away from home

@ZeroG
Hmmm, OK, I was mistaken. Tried it again, and saw the same problem. Maybe OWB is using an outdated version of Webkit?

Author of the PortablE programming language.

Deniil

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/24 14:35 #7

Quite a regular

@ChrisH

Quote:

Maybe OWB is using an outdated version of Webkit?

I've also noticed a few places where Crome works fine but OWB fails. Could it be spoof-related only?

Software developer for Amiga OS3 and OS4.
Develops for OnyxSoft and the Amiga using E and C and occasionally C++

lsmarty

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/25 22:34 #8

Just popping in

@ZeroG: I think you can adress this vulnerability without changing WebKit. If you start two seperate OWB tasks there is no problem. Only if you open a new tab or window from within the same OWB, these windows are able to override each others frames.

So go one window per OWB instance and you are safe.

Fab

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/26 1:01 #9

Just popping in

@ZeroG

It doesn't seem to happen in my webkit port (clicking second link open in a new tab/window), even with an older webkit revision than the one used in OWB 3.27. So i wonder if it wouldn't just be related to some webkit option that would have been enabled in OS4 port.

ZeroG

Re: Frame spoofing does work with OWB 3.27

Posted on: 2010/5/26 16:51 #10

Not too shy to talk

@lsmarty

I know how to work around this "feature", but it should get fixed.

@Fab
Good to hear this.

Register To Post
	Top Previous Topic Next Topic

Currently Active Users Viewing This Thread: 1 ( 0 members and 1 Anonymous Users )