<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability



sandrijeski@xxxxxxxxx wrote:

In-Reply-To: <40A90108.9000301@xxxxxxxxxxxx>

I can't see this as vulnerability because its legal code I do something similar 
without using image map for my site to hide the affiliate tracking code.
This is the code:
<a onmouseover="window.status='http://www.the-url-you-see.com;return true" title="The Link"
onmouseout="window.status='Whatever-you-like-here';return true"
href='http://www.some-other-url.com'>The link</a>

Being able to do something intentionally doesn't make it safe or ethical. You are hiding tracking information from the person using your site; in effect and in fact you are lying to your visitor. As a visitor to your site I would not appreciate my browser hiding the real contents of information used to track me and or hide the real purpose of a benign-looking link. I would want my browser to be my agent, not yours.

Your anecdote rather establishes the vulnerability and points to its current use "in the wild."


Regards,

Robert J Taylor
robert-bugtraq@xxxxxxxxxxxxxxxx