Login
Username:

Password:

Remember me



Lost Password?

Register now!

Sections

Who's Online
120 user(s) are online (92 user(s) are browsing Forums)

Members: 0
Guests: 120

more...

Support us!

Headlines

 
  Register To Post  

Frame spoofing does work with OWB 3.27 (Fixed in 3.28)
Not too shy to talk
Not too shy to talk


See User information
http://www.h-online.com/security/serv ... g-with-Frames-758077.html

Is that something that must be fixed in the webkit engine, or is it something that should be fixed in the OS4.x port of OWB?

EDIT:
Fixed in OWB 3.28


Edited by ZeroG on 2010/6/3 7:55:14
Go to top
Re: Frame spoofing does work with OWB 3.27
Home away from home
Home away from home


See User information
@ZeroG
What are you talking about? OWB v3.27 passed the test here (as I would have expected since it is based upon WebKit which is used by Google Chrome, Safari, etc).

Author of the PortablE programming language.
Go to top
Re: Frame spoofing does work with OWB 3.27
Just popping in
Just popping in


See User information
OWB 3.27 failed here. Spoofing works perfectly

Go to top
Re: Frame spoofing does work with OWB 3.27
Not too shy to talk
Not too shy to talk


See User information

Go to top
Re: Frame spoofing does work with OWB 3.27
Just can't stay away
Just can't stay away


See User information
@Thread

Well, even if English is not my native language, it seems that the test fails since you should read carefully what it is written :

You are vulnerable...

if this page is displayed in the context of another site and/or the address bar of your browser shows that site's URL. If you see it in a separate window with a URL from The H, you can ignore this message.

We could insert any content here. Attackers could create a page with the look and feel of the original page and ask for private information such as passwords, PINs and so on. All such data entered here could be transmitted to the attackers.


So yes, we are vulnerable since anything could have been written in the frame.

We normally shoud have had a new window opened without the first one being modified.

--
AmigaONE X1000 and Radeon RX 560
Go to top
Re: Frame spoofing does work with OWB 3.27
Home away from home
Home away from home


See User information
@ZeroG
Hmmm, OK, I was mistaken. Tried it again, and saw the same problem. Maybe OWB is using an outdated version of Webkit?

Author of the PortablE programming language.
Go to top
Re: Frame spoofing does work with OWB 3.27
Quite a regular
Quite a regular


See User information
@ChrisH

Quote:

Maybe OWB is using an outdated version of Webkit?


I've also noticed a few places where Crome works fine but OWB fails. Could it be spoof-related only?

Software developer for Amiga OS3 and OS4.
Develops for OnyxSoft and the Amiga using E and C and occasionally C++
Go to top
Re: Frame spoofing does work with OWB 3.27
Just popping in
Just popping in


See User information
@ZeroG: I think you can adress this vulnerability without changing WebKit. If you start two seperate OWB tasks there is no problem. Only if you open a new tab or window from within the same OWB, these windows are able to override each others frames.

So go one window per OWB instance and you are safe.

Go to top
Re: Frame spoofing does work with OWB 3.27
Just popping in
Just popping in


See User information
@ZeroG

It doesn't seem to happen in my webkit port (clicking second link open in a new tab/window), even with an older webkit revision than the one used in OWB 3.27. So i wonder if it wouldn't just be related to some webkit option that would have been enabled in OS4 port.

Go to top
Re: Frame spoofing does work with OWB 3.27
Not too shy to talk
Not too shy to talk


See User information
@lsmarty

I know how to work around this "feature", but it should get fixed.

@Fab
Good to hear this.

Go to top

  Register To Post

 




Currently Active Users Viewing This Thread: 1 ( 0 members and 1 Anonymous Users )




Powered by XOOPS 2.0 © 2001-2024 The XOOPS Project