292298 - Javascript can access frames in other domains

Status: RESOLVED DUPLICATE of bug 291745

(Firefox :: Security, defect)

Description

[Paul Nickerson]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

This is similar to my previous vuln, "Pressing Back can execute javascript."
However, this utilizes the feature that allows you to navigate through frames in
a frameset using the back/forward button. If we execute javascript in a frame in
the context of a site with a document.domain the same as that of the frameset,
that frame can access the rest of the frames contained within that frameset.

Reproducible: Always

Steps to Reproduce:
1. http://www.michaelevanchik.com/greyhatsfolder/vulnframeset.htm (notice that
none of the pages in michaelevanchik.com/greyhatsfolder contain active content)
2. Click the link on the leftmost frame that says "click here"
3. Once the page has loaded, press the Back button
Actual Results:  
The contents of document.body.innerHTML of the bottommost frame are displayed in
a javascript alert.

Expected Results:  
Navigation buttons should not navigate frames to javascript pages.

Comment 1

[Daniel Veditz [:dveditz]]

Possibly depends on a fix for bug 291745, but unlike that one this one works on
the Suite as well.

Comment 2

[Daniel Veditz [:dveditz]]

The key testcase frame has gone missing :-(

Comment 3

[Daniel Veditz [:dveditz]]

This follows from bug 291745. If going back runs a javascript url in the wrong
context then there are any number of same-origin violation exploits you can do.

*** This bug has been marked as a duplicate of 291745 ***