[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FrameJammer DOM based XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: FrameJammer DOM based XSS
From: mkey@xxxxxxxxxxx
Date: Mon, 27 Feb 2012 08:50:36 GMT

Software:FrameJammer 
Author:Hal Pawluk
Software Description: FrameJammer is a little javascript code which prevents 
opening framed pages outside their frameset. FrameJammer used to be distributed 
as a Macromedia Dreamweaver extension, nowadays web developers are spreading it 
with copy-paste.

Problem:
FrameJammer does not validate user input (Window.Location) and therefore it 
contains a DOM Based XSS vulnerability.

PoC:
http://<url>?javascript:alert(123)~<frame-name>

I did not contact with the author. His website is down and I am not in the 
possession of his contact information.

Prev by Date: DeepSec "Sector v6" - Call for Papers
Next by Date: Case YVS Image Gallery
Previous by thread: DeepSec "Sector v6" - Call for Papers
Next by thread: [ MDVSA-2012:023 ] libvpx
Index(es):
- Date
- Thread