Re: New URL spoofing bug in Microsoft Internet Explorer

• Previous message: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
• Maybe in reply to: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
• Next in thread: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Marjolein Katsma: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Russ Thomas: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 29 Oct 2004 16:19:03 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Firstly, the way the HTML is written, the href which should display and be used is http://www.microsoft.com, the single </a> should be the closing element for the first href.

Secondly, on XP SP2 this doesn't work. First, you get an information bar warning that content has been blocked. If you mouseover the "Click Here", you see www.google.com, not microsoft, in the status bar.

Thirdly, if you allow the blocked content, nothing changes except that one linefeed is introduced on the page and the "Click Here" is one line lower. An interesting side-effect of allowing the content is that while a mouseover the "Click Here" reveals www.google.com, if you slowly move the mouse down you will see www.microsoft.com flash in the status bar.

Seems to me we still have the idiotic rendering of incomplete/incorrect HTML, the way it does in Outlook. Forget about tags and it will render anything that looks like a URL as a URL.

In isolation, the google href may appear to be the most well-formed, but since HTML shouldn't be treated as isolated data islands, but instead as a sequence from beginning to end, the fact that XP SP2 renders www.google.com as the link is just wrong (even if it does mean the spoofing attempt fails.)

Further, if the single </a> tag closes the google href, then how is it possible that IE still can put www.microsoft.com in the status bar at all? It has no closing tag, so is not well-formed, and shouldn't be treated as a valid tag...but IE, even of XP SP2, still thinks its valid (granted, after the blocked content has been allowed.) What possible reason would there be to allow the rendering of that href???

All works as advertised on non-XP SP2 IE installations.

Cheers,
Russ - Senior Scientist/NTBugtraq Editor
TruSecure Corporation

--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
• Maybe in reply to: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
• Next in thread: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Marjolein Katsma: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Reply: Russ Thomas: "Re: New URL spoofing bug in Microsoft Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]