<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability



On Thu, May 27, 2004 at 09:53:33AM -0000, sandrijeski@xxxxxxxxx wrote:
> In-Reply-To: <40A90108.9000301@xxxxxxxxxxxx>
> 
> I can't see this as vulnerability because its legal code I do
> something similar without using image map for my site to hide the
> affiliate tracking code.
> 
> This is the code:
> <a onmouseover="window.status='http://www.the-url-you-see.com;return true" 
> title="The Link"
> onmouseout="window.status='Whatever-you-like-here';return true"
> href='http://www.some-other-url.com'>The link</a>
> 
> living example: http://lotdcrew.org/drunkteam_new/page/affiliates.php

Well, yes, it's true that with JavaScript and window.status we can never
trust the status line again, but the point of the original posting was
that this could be done on browsers with JavaScript *disabled*.

G'luck,
Peter

-- 
Peter Pentchev  roam@xxxxxxxxxxx    roam@xxxxxxxx    roam@xxxxxxxxxxx
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.

Attachment: pgpHQwxbLpaGb.pgp
Description: PGP signature