TITLE:
Multiple Browsers Frame Injection Vulnerability

SECUNIA ADVISORY ID:
SA11978

VERIFY ADVISORY:
https://secunia.com/advisories/11978/

CRITICAL:
Moderately critical

IMPACT:
Spoofing

WHERE:
>From remote

SOFTWARE:
Safari 1.x
https://secunia.com/product/1543/
Opera 7.x
https://secunia.com/product/761/
Opera 6.x
https://secunia.com/product/81/
Opera 5.x
https://secunia.com/product/82/
Netscape 7.x
https://secunia.com/product/85/
Netscape 6.x
https://secunia.com/product/84/
Mozilla Firefox 0.x
https://secunia.com/product/3256/
Mozilla 1.6
https://secunia.com/product/3101/
Mozilla 1.5
https://secunia.com/product/2478/
Mozilla 1.4
https://secunia.com/product/1481/
Mozilla 1.3
https://secunia.com/product/1480/
Mozilla 1.2
https://secunia.com/product/3100/
Mozilla 1.1
https://secunia.com/product/98/
Mozilla 1.0
https://secunia.com/product/97/
Mozilla 0.x
https://secunia.com/product/772/
Konqueror 3.x
https://secunia.com/product/3166/
Internet Explorer 5.x for Mac
https://secunia.com/product/2678/

DESCRIPTION:
A 6 year old vulnerability has been discovered in multiple browsers,
allowing malicious people to spoof the content of websites.

The problem is that the browsers don't check if a target frame
belongs to a website containing a malicious link, which therefore
doesn't prevent one browser window from loading content in a named
frame in another window.

Successful exploitation allows a malicious website to load arbitrary
content in an arbitrary frame in another browser window owned by e.g.
a trusted site.

Secunia has constructed a test, which can be used to check if your
browser is affected by this issue:
https://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

The vulnerability has been confirmed in the following browsers:
* Opera 7.51 for Windows
* Opera 7.50 for Linux
* Mozilla 1.6 for Windows
* Mozilla 1.6 for Linux
* Mozilla Firebird 0.7 for Linux
* Mozilla Firefox 0.8 for Windows
* Netscape 7.1 for Windows
* Internet Explorer for Mac 5.2.3
* Safari 1.2.2
* Konqueror 3.1-15redhat

Other versions may also be affected.

The vulnerability also affects Internet Explorer:
SA11966

SOLUTION:
Do not browse untrusted sites while browsing trusted sites.

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux

PROVIDED AND/OR DISCOVERED BY:
Reported in Mozilla browser by:
Gary McKay

OTHER REFERENCES:
SA11966:
https://secunia.com/advisories/11966/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
https://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
https://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------