Bugtraq mailing list archives
RE: IE Certificate Stealing (Phising) bug
From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Sat, 1 May 2004 08:18:29 -0700
From: E.Kellinis [mailto:me () cipher org uk] Sent: Friday, April 30, 2004 11:09 AM If inside the index page links and forms use virtual pointers to directories or files (e.g. images/ or form/submit.php) we can use the trust of the visitor and steal information.
Those aren't called "virtual pointers to directories or files". They're "relative URLs". It's worth pointing this out because your recommended fix:
Do not use virtual directories , instead use the real path or url Refresh access to the root directory
doesn't make sense as written. "virtual directories" in this context commonly refers to URL path segments that are mapped by the HTTP server to filesystem entities with different names. Avoiding them doesn't mitigate this attack. What you want to recommend here (presumably - I haven't tested it myself) is using relative URLs as reference values in secure HTML pages. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Current thread:
- RE: IE Certificate Stealing (Phising) bug Michael Wojcik (May 01)