CVE-2002-0815

Name of the Vulnerable Software and Affected Versions: Netscape (affected versions not specified) Mozilla (affected versions not specified) Internet Explorer (affected versions not specified)

Description: The issue allows a remote web server to access restricted HTTP and SOAP/XML content by exploiting the Javascript "Same Origin Policy" (SOP) implementation. This is done by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame. The attack is possible because the document.domain of the two frames matches on the parent domain.

Recommendations: For Netscape, consider restricting the use of frames to minimize the risk of exploitation. For Mozilla, avoid using the document.domain property in a way that could allow malicious servers to access restricted content. For Internet Explorer, as a temporary workaround, consider disabling the ability to load pages from restricted sites into frames until a more permanent solution is available. At the moment, there is no information about a newer version that contains a fix for this issue.