Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 56109 - net-www/netscape-communicator: Frame Injection Vulnerability
Summary: net-www/netscape-communicator: Frame Injection Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa?] jaervosz
Depends on:
Reported: 2004-07-05 00:47 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-05 00:47:17 UTC
Description from Secunia:

A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.
 The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.
 Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g. a trusted site.
 Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

Just tested Konqueror 3.2.2 and it is vulnerable. mozilla-firefox-0.8-r3 seems not to suffer from this.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-05 02:10:42 UTC
Hardly exploitable, but should be fixed.

Affected packages :
kde-base/kdebase (Konqueror)

Fixed packages :
net-www/firefox >=0.9
net-www/mozilla >=1.7

Waiting for upstream fixes for Opera and Konqueror.
Comment 2 Dan Margolis (RETIRED) gentoo-dev 2004-07-05 14:36:08 UTC
net-www/netscape-navigator is vulnerable (I'm assuming net-www/netscape-communicator is as well). Note that I tested this on OSX, but it should be vulnerable on Linux as well. 

Who still uses Netscape, anyway? ;)
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-07 14:03:12 UTC
Opera fixed with bug #56311

Patch available for Konqueror

Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 14:06:14 UTC
KDE team: could you please look in the fix for Konqueror and issue a fixed ebuild ?
For netscape-communicator, I suppose there won't be a fix so we might need to mask it.
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2004-07-08 07:00:33 UTC
I'd like to see a little more conversation on the KDE bug site and find out what their plan is before I commit anything here.  If it's a serious problem, they'll issue a security advisory.  My guess is that the patch that's in that bug still has a little bit of work left.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-05 23:27:09 UTC
mozilla(-bin) and firefox seems to be fixed with bug #59419 
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-08-06 02:42:31 UTC
Moz and Firefox are fixed since 1.7 / 0.9, see comment above.
Konqueror and Netscape-Communicator are the only left to fix.
Changing title to reflect this.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 11:34:36 UTC
Konqueror fixed with bug #60068
Comment 9 Mamoru KOMACHI (RETIRED) gentoo-dev 2004-08-17 14:10:52 UTC
I agree to p.mask net-www/netscape-*. The latest portage is clever enough to show the reason of p.mask extracted from package.mask, so I would assume it's okay to keep them in our tree even though they are vulnerable to the exploit.
Comment 10 Aron Griffis (RETIRED) gentoo-dev 2004-08-18 12:37:49 UTC
ok, netscape-communicator and netscape-navigator are package.mask'd
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 06:36:34 UTC
This is ready for GLSA or close...
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-03 07:05:26 UTC
Closing without GLSA.