Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New URL spoofing bug in Microsoft Internet Explorer

from [Martin Maher] Network Security [Permanent Link]
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer
Date: Sun, 31 Oct 2004 13:17:03 -0700 
What Marjolein says is true about the errors with the code but I
think something has been missed in the situational application of the
example. Specifically, since an anchor can *not* contain a block
level element, then the second anchor tag *should* fail as well. Why
you ask - because a closing tag for a block level element cuts off
what follows just as surely as an opening tag for a block level
element.

I believe Russ Thomas' tree is a correct metaphor for this situation
but with an incorrect outcome. Just as surely as the branch begun by
the <table> element gives an "end of stream" for the first anchor
tag, the explicit *ending* of a branch should yield an "end of
stream" for the second anchor tag.

IMHO, *neither* tag should work according to the rules and *any*
attempts to *interpret* an intended outcome will yield an erroneous
result.

Additionally, long gone should be the days when parsers (web
browsers) should be granting leniency to incorrect HTML vis a vis
*predicting* the intention of the author. This sort of flexibility
was originally allowed because this code was being written by hand by
scientists whose simple intention was to provide a visual tweak to
their data as it was shared by the then nacent WWW.

IM(second)HO, current browsers should strictly parse the HTML and
display it on the page. This would at the very least allow for the
determination of *bug* or *not bug* when we see issues such as this.
Now with leniency allowed on this level, we end up in dicussions of
*best method* for interpreting an *error* - intentional in nature or
not. The only *design decision* a browser writer should have is what
standards level to parse unmarked HTML to (i.e., HTMLv2, HTMLv3,
etc.).

And before anyone goes *there*, the excuse that this imperils
attempts to hand-write HTML (which is how I do all mine, btw) because
of the possibility of over-looked tags, copying errors in long
documents, etc. - welcome to writing code. And also to mitigate this
possible handicap, there are a slew of free and very low cost strict
code parsing error checking products on the market.

With all of the current concerns about security, I don't understand
how it can be acceptable behavior to allow a program with as wide a
data-catching net as a web browser to *guess* with information that
is inbound to our networks. This makes everyone who accepts this
*feature* complicit in the security problems on their own networks.

Respectfully,

Martin Maher
gentoo@penguindreams.us

At 22:19 2004-10-29, you wrote: 
In isolation, the google href may appear to be the most well-formed, but
since HTML shouldn't be treated as isolated data islands, but instead as a
sequence from beginning to end, the fact that XP SP2 renders
www.google.com as the link is just wrong (even if it does mean the
spoofing attempt fails.)


Excuse me, but I beg to differ.

The HTML standards have some rules and guidelines for how to render valid
code - they do NOT have guidelines for how to render invalid code. And the
example code given clearly is invalid. But there is no "right" or "wrong"
with what a browser does with that.

When a browser (any user agent) encounters invalid code, it can do anything
it "thinks" is appropriate with it (one reason why so many browsers are so
bloated: they do a lot of guesswork). There are no rules.

There are, in fact two errors with the code:
- an anchor cannot contain a block (and a table is a block)
- anchors cannot be nested

What "should" a browser do with these?
- If one takes the first rule, then it seems "natural" for a browser that
does even a little bit of validation in its attempts to guess to discard
the first opening a tag upon encountering the opening table tag going on a
general rule of thumb that an opening block-level tag ends whatever connot
contain a block. (This is why a new opening p tag starts a new paragraph
even if it isn't preceded by a closing p tag.)
- If one takes the second rule - what to do? what to do? Since anchors
cannot be nested, discarding the first opening anchor tag OR ignoring the
second opening tag would seem equally sensible.


--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  p h i s h i n g p h o r p h u n p h o r p h u q u e s a k e, http-equiv@excite.com
Next by Date:  zlib 1.2.2 released, Mark Adler
Previous by Thread:  Re: New URL spoofing bug in Microsoft Internet Explorer, Russ
Next by Thread:  Re: New URL spoofing bug in Microsoft Internet Explorer, http-equiv@excite.com
Indexes:  [Date] [Thread] [Top] [All Lists]