Bugtraq mailing list archives
Re: New URL spoofing bug in Microsoft Internet Explorer
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 29 Oct 2004 01:34:17 -0400
Update to my previous email (quoted below) which was in reply to Benjamin's original email (quoted at bottom). Using Win XP Pro w/ SP2 (Fully patched according to Windows Update - IE version: 6.0.2900.2180), his example does NOT work. If you hover your mouse just above the link (where the table border would be), it says Microsoft.com, however, going over the actual link inside the table will properly reveal Google.com. (Maybe Microsoft patched this? Not sure what is meant by "fully patched" in Benjamin's text. Fully patched according to what?) My example still holds true however, as I expected. I wouldn't call it a bug or an exploit really. It's more like an "abused feature" if anything. It's not a glitch or an example of bad coding. It's just yet another deceptive way to fool someone using the resources available. Comments? Email: exploit _AT_ guidoz _DOT_ com More info here: http://www.guidoz.com/btstatusurl.html -- Peace. ~G On Fri, 29 Oct 2004 00:53:49 -0400, GuidoZ <uberguidoz () gmail com> wrote:
I'm not arguing that this isn't a bug mind you - it certainly is something that should be looked at. (I haven't tested it myself... no Windows box handy.) However, you can accomplish basically the same thing with a little bit of inline javascript: <a HREF="http://www.google.com/" onMouseOver="window.status='http://www.microsoft.com/';return true" onMouseOut="window.status='Done';return true">Click here</a> Hovering over the link will display the "fake" Microsoft.com link in the status bar. Leaving the link will revert to saying "Done" when leaving the link. (Done is what appears in IE after a page is loaded.) Clicking it will goto Google.com This trivial, yet effective, method has been used for years for advertising sites that want to hide the affiliate ID or whatever. Plus, it's easier then making a table around every link, which will throw off the formatting in some browers. =) On the other hand, if you have javascript disabled (or not supported), then this wouldn't fool you. 6 of one and half a dozen of the other. (Something else to note - the inline javascript will work across multiple browsers. Not just IE.) Either way, viewing the page source will reveal the truth, obviously. FWIW, I have made a quick page that hosts both "exploits" here as HTML: - http://www.guidoz.com/btstatusurl.html Now you can see them as HTML in case your mail program doesn't. This was done *very* quickly in kwrite, so no comments about the coding. =P (Let me know if something doesn't work like it should however and I'll fix it.) -- Peace. ~G On Thu, 28 Oct 2004 23:38:16 +0200, 0-1-2-3 () gmx de <0-1-2-3 () gmx de> wrote:New URL spoofing bug in Microsoft Internet Explorer There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched), which allowes to show any faked target-address in the status bar of the window. The example below will display a faked URL ("http://www.microsoft.com/") in the status bar of the window, if you move your mouse over the link. Click on the link and IE will go to "http://www.google.com/" and NOT to "http://www.microsoft.com/" . <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">Click here</td></tr></table></a> Description: Microsoft Internet Explorer can't handle links surrounded by a table and an other link correct. The bug can be exploited using HTML mail message too. Affected software: Microsoft Internet Explorer, Microsoft Outlook Express, ... Workaround: Don't click on non-trusted links. Or right-click on links to see the real target. Or use Copy-and-Paste. Regards, Benjamin Tobias Franz Germany
Current thread:
- New URL spoofing bug in Microsoft Internet Explorer 0-1-2-3 (Oct 28)
- RE: New URL spoofing bug in Microsoft Internet Explorer Larry Seltzer (Oct 29)
- Re: New URL spoofing bug in Microsoft Internet Explorer GuidoZ (Oct 29)
- RE: New URL spoofing bug in Microsoft Internet Explorer Larry Seltzer (Oct 30)
- Re: New URL spoofing bug in Microsoft Internet Explorer GuidoZ (Oct 29)
- Re: New URL spoofing bug in Microsoft Internet Explorer Christopher J. Pilkington (Oct 29)
- Re: New URL spoofing bug in Microsoft Internet Explorer GuidoZ (Oct 29)
- Re: New URL spoofing bug in Microsoft Internet Explorer GuidoZ (Oct 30)
- <Possible follow-ups>
- Re: New URL spoofing bug in Microsoft Internet Explorer Jérôme (Oct 29)
- Re: New URL spoofing bug in Microsoft Internet Explorer 0-1-2-3 (Oct 30)
- Re: New URL spoofing bug in Microsoft Internet Explorer http-equiv () excite com (Oct 30)
- RE: New URL spoofing bug in Microsoft Internet Explorer Larry Seltzer (Oct 29)