Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New URL spoofing bug in Microsoft Internet Explorer

from [Christopher J. Pilkington] Network Security [Permanent Link]
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer
Date: Thu, 28 Oct 2004 20:15:19 -0400 
Under IE 6.0.2900.2180, this does not occur as you describe.

If the mouse pointer is pointed to the edge around the link,
"http://www.microsoft.com"; is displayed, but when the pointer is
directly over the link, "http://www.google.com"; is correctly
displayed.

On Thu, 28 Oct 2004 23:38:16 +0200, 0-1-2-3@gmx.de <0-1-2-3@gmx.de> wrote:

New URL spoofing bug in Microsoft Internet Explorer

There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
which allowes to show any faked target-address in the status bar of the
window.

The example below will display a faked URL ("http://www.microsoft.com/";) in
the status bar of the window, if you move your mouse over the link. Click
on the link and IE will go to "http://www.google.com/"; and NOT to
"http://www.microsoft.com/"; .

<a href="http://www.microsoft.com/";><table><tr><td><a
href="http://www.google.com/";>Click here</td></tr></table></a>

Description: Microsoft Internet Explorer can't handle links surrounded by a
table and an other link correct.

The bug can be exploited using HTML mail message too.

Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
...

Workaround: Don't click on non-trusted links. Or right-click on links to
see the real target. Or use Copy-and-Paste.

Regards,
Benjamin Tobias Franz
Germany
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Update: Web browsers - a mini-farce (MSIE gives in), David Brodbeck
Next by Date:  Re: New URL spoofing bug in Microsoft Internet Explorer, Jérôme
Previous by Thread:  RE: New URL spoofing bug in Microsoft Internet Explorer, Larry Seltzer
Next by Thread:  Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ
Indexes:  [Date] [Thread] [Top] [All Lists]