Bug 56109

Summary:	net-www/netscape-communicator: Frame Injection Vulnerability
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	usata
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://secunia.com/advisories/11978/
Whiteboard:	A3 [glsa?] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-07-05 00:47:17 UTC

Description from Secunia:

Description:
A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.
 
 The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.
 
 Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g. a trusted site.
 
 Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

Just tested Konqueror 3.2.2 and it is vulnerable. mozilla-firefox-0.8-r3 seems not to suffer from this.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-07-05 02:10:42 UTC

Hardly exploitable, but should be fixed.

Affected packages :
net-www/opera
net-www/mozilla
net-www/firefox
kde-base/kdebase (Konqueror)
...?

Fixed packages :
net-www/firefox >=0.9
net-www/mozilla >=1.7

Waiting for upstream fixes for Opera and Konqueror.

Comment 2 Dan Margolis (RETIRED) gentoo-dev

2004-07-05 14:36:08 UTC

net-www/netscape-navigator is vulnerable (I'm assuming net-www/netscape-communicator is as well). Note that I tested this on OSX, but it should be vulnerable on Linux as well. 

Who still uses Netscape, anyway? ;)

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-07-07 14:03:12 UTC

Opera fixed with bug #56311

Patch available for Konqueror

http://bugs.kde.org/show_bug.cgi?id=84352

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-07-07 14:06:14 UTC

KDE team: could you please look in the fix for Konqueror and issue a fixed ebuild ?
For netscape-communicator, I suppose there won't be a fix so we might need to mask it.

Comment 5 Caleb Tennis (RETIRED) gentoo-dev

2004-07-08 07:00:33 UTC

I'd like to see a little more conversation on the KDE bug site and find out what their plan is before I commit anything here.  If it's a serious problem, they'll issue a security advisory.  My guess is that the patch that's in that bug still has a little bit of work left.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-05 23:27:09 UTC

mozilla(-bin) and firefox seems to be fixed with bug #59419

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2004-08-06 02:42:31 UTC

Moz and Firefox are fixed since 1.7 / 0.9, see comment above.
Konqueror and Netscape-Communicator are the only left to fix.
Changing title to reflect this.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-11 11:34:36 UTC

Konqueror fixed with bug #60068

Comment 9 Mamoru KOMACHI (RETIRED) gentoo-dev

2004-08-17 14:10:52 UTC

I agree to p.mask net-www/netscape-*. The latest portage is clever enough to show the reason of p.mask extracted from package.mask, so I would assume it's okay to keep them in our tree even though they are vulnerable to the exploit.

Comment 10 Aron Griffis (RETIRED) gentoo-dev

2004-08-18 12:37:49 UTC

ok, netscape-communicator and netscape-navigator are package.mask'd

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2004-09-02 06:36:34 UTC

This is ready for GLSA or close...

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2004-09-03 07:05:26 UTC

Closing without GLSA.