Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 10/21/05
- Previous message: Luigi Auriemma: "[Full-disclosure] F.E.A.R. 1.01 likes lithsock"
- In reply to: Raoul Nakhmanson-Kulish: "Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)."
- Next in thread: sic, das CSIRT der Universitaet Dortmund: "Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Oct 2005 05:39:54 +1300 To: full-disclosure@lists.grok.org.uk
Raoul Nakhmanson-Kulish to me:
> >>Cross-platform code (remove line breaks to test):
> >><a href="http://www.microsoft.com"
> >>onclick="self.location.href='http://www.google.com/';return
> >>false;">Microsoft</a>
> >>Works OK in MSIE 6.0/Win2003 SP1 fully patched, Mozilla 1.7.12, Opera 8.50.
> > In my Win2KSP4+, Mozilla 1.0.7 it doesn't work
> Do you mean Mozilla Firefox 1.0.7?
Yes -- fingers don't work as fast as grey matter...
> Had you removed line breaks (there must be a space between "return" and
> "false")?
> Had you allowed JavaScript in your browser?
Yes, and yes, but I missed (in my hurry) that this (your?) "example"
was not the OP's. My comments apply to the OP's code -- in Firefox
1.0.7 on Win2K SP4 UR1+ the spoof does NOT work -- mouse-over the link
and it is to MS and clicking it takes you to MS.
BUT, as I also said, if you then hit "go back", instead of taking you
to the original PoC page Firefox takes you "back" to Google (another
"go back" takes you to the PoC page and now Google and then MS is in
your forward browser history).
IE 6.0 SP1+ is even weirder with the original PoC, as regards "go back"
behaviour -- it seems that trying to go back to the PoC page (from
Google, as the forward spoof works) causes the spoof script to be re-
run, popping you back to Google despite the mouse-over location for the
"go back" button being the URL to the PoC. However, selecting the
first instance of the PoC URL from the drop-down on the "go back"
button successfully reloads the PoC page...
> I tested the code in FF 1.0.7 on fully patched Win2K SP4 UR1. It works.
Yes, your (the above) code works on Firefox 1.0.7 and does not have the
"go back" weirdness in either Firefox or IE.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Luigi Auriemma: "[Full-disclosure] F.E.A.R. 1.01 likes lithsock"
- In reply to: Raoul Nakhmanson-Kulish: "Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)."
- Next in thread: sic, das CSIRT der Universitaet Dortmund: "Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen)."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
