Full Disclosure mailing list archives
Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen)
From: Jake Cole <jakecoleus () yahoo com>
Date: Thu, 20 Oct 2005 12:33:02 -0700 (PDT)
In "Billy's" defense, this is expected in most JavaScript-enabled browsers. Here's a Firefox version: <a href="http://microsoft.com" onClick="window.setTimeout('document.write(unescape(\'%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e\'))')">Microsoft</a> -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Nick FitzGerald Sent: Thursday, October 20, 2005 12:08 PM To: full-disclosure () lists grok org uk Subject: [BULK] - Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Mike Camden wrote:
I thought this was by design since you may have a
known url to go to but
only after some form of validation has been passed.
IFF that is the case, then it is an extraordinarily brain-dead design, as it breaks the very critical "rule" that you should NOT surprise the user. A URL link that is shown in the interface to go one place, but which goes somewhere else is fundamentally broken under that rule. If this is by design, then it's another case of a feature that breaks Billy's admonition that security is to trump features, so should be fixed. Regards, Nick FitzGerald __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Jake Cole (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Thierry Zoller (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Paul Schmehl (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Nick FitzGerald (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Thierry Zoller (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Jake Cole (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Mike Camden (Oct 21)