Bugtraq mailing list archives
Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability
From: Valdis.Kletnieks () vt edu
Date: Thu, 27 May 2004 15:47:39 -0400
On Thu, 27 May 2004 09:53:33 -0000, sandrijeski () yahoo com said:
I can't see this as vulnerability because its legal code I do something similar without using image map for my site to hide the affiliate tracking code.
<a onmouseover="window.status='http://www.the-url-you-see.com;return true" title="The Link" onmouseout="window.status='Whatever-you-like-here';return true" href='http://www.some-other-url.com'>The link</a>
Two points: 1) Your method doesn't work if the browser has disabled Javascript. Many people disable Javascript precisely because they don't like the concept of web page designers doing this sort of obfuscation. The fact that there exists a way to work around disabled Javascript *is* a vulnerability... 2) The fact that there are other ways to achieve the same end doesn't mean that it's not a vulnerability. Or do you claim that because so-called "419 scams" have been run in the past using fax spam rather than e-mail spam, that e-mail based 419 scams are therefor not a fraud? Or that because sidewalk con artists have been playing 3-card monte that pigeon drop scams aren't fraud?
Attachment:
_bin
Description:
Current thread:
- Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Kurczaba Associates advisories (May 17)
- <Possible follow-ups>
- RE: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Drew Copley (May 17)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability thegeekmeister (May 17)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Jan Kluka (May 18)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability sandrijeski (May 27)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Robert J Taylor (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Valdis . Kletnieks (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Peter Pentchev (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability http-equiv () excite com (May 27)