Network Security: Detailed info on Re: New URL spoofing bug in Microsoft Internet Explorer

Subject:	Re: New URL spoofing bug in Microsoft Internet Explorer
Date:	Fri, 29 Oct 2004 00:53:49 -0400

I'm not arguing that this isn't a bug mind you - it certainly is
something that should be looked at. (I haven't tested it myself... no
Windows box handy.) However, you can accomplish basically the same
thing with a little bit of inline javascript:

<a HREF="http://www.google.com/";
onMouseOver="window.status='http://www.microsoft.com/';return true"
onMouseOut="window.status='Done';return true">Click here</a>

Hovering over the link will display the "fake" Microsoft.com link in
the status bar. Leaving the link will revert to saying "Done" when
leaving the link. (Done is what appears in IE after a page is loaded.)
Clicking it will goto Google.com

This trivial, yet effective, method has been used for years for
advertising sites that want to hide the affiliate ID or whatever.
Plus, it's easier then making a table around every link, which will
throw off the formatting in some browers. =) On the other hand, if you
have javascript disabled (or not supported), then this wouldn't fool
you. 6 of one and half a dozen of the other. (Something else to note -
the inline javascript will work across multiple browsers. Not just
IE.) Either way, viewing the page source will reveal the truth,
obviously.

FWIW, I have made a quick page that hosts both "exploits" here as HTML:
 - http://www.guidoz.com/btstatusurl.html

Now you can see them as HTML in case your mail program doesn't.
This was done *very* quickly in kwrite, so no comments about the coding. =P
(Let me know if something doesn't work like it should however and I'll fix it.)

--
Peace. ~G


On Thu, 28 Oct 2004 23:38:16 +0200, 0-1-2-3@gmx.de <0-1-2-3@gmx.de> wrote:

New URL spoofing bug in Microsoft Internet Explorer

There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
which allowes to show any faked target-address in the status bar of the
window.

The example below will display a faked URL ("http://www.microsoft.com/";) in
the status bar of the window, if you move your mouse over the link. Click
on the link and IE will go to "http://www.google.com/"; and NOT to
"http://www.microsoft.com/"; .

<a href="http://www.microsoft.com/";><table><tr><td><a
href="http://www.google.com/";>Click here</td></tr></table></a>

Description: Microsoft Internet Explorer can't handle links surrounded by a
table and an other link correct.

The bug can be exploited using HTML mail message too.

Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
...

Workaround: Don't click on non-trusted links. Or right-click on links to
see the real target. Or use Copy-and-Paste.

Regards,
Benjamin Tobias Franz
Germany

<Prev in Thread]	Current Thread	[Next in Thread>
New URL spoofing bug in Microsoft Internet Explorer, 0-1-2-3 RE: New URL spoofing bug in Microsoft Internet Explorer, Larry Seltzer Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ RE: New URL spoofing bug in Microsoft Internet Explorer, Larry Seltzer Re: New URL spoofing bug in Microsoft Internet Explorer, Christopher J. Pilkington Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ <= Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ Re: New URL spoofing bug in Microsoft Internet Explorer, Jérôme Re: New URL spoofing bug in Microsoft Internet Explorer, 0-1-2-3 Re: New URL spoofing bug in Microsoft Internet Explorer, http-equiv@excite.com

Previous by Date:	Re: Update: Web browsers - a mini-farce (MSIE gives in), Chris Paget
Next by Date:	Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?, Michael Engert
Previous by Thread:	Re: New URL spoofing bug in Microsoft Internet Explorer, Christopher J. Pilkington
Next by Thread:	Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ
Indexes:	[Date] [Thread] [Top] [All Lists]