Re: New URL spoofing bug in Microsoft Internet Explorer

From: James C Slora Jr (Jim.Slora_at_PHRA.COM)
Date: 10/29/04

Next message: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"

Previous message: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
Maybe in reply to: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
Next in thread: Yergeau, Tom: "Re: New URL spoofing bug in Microsoft Internet Explorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 29 Oct 2004 16:33:30 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

0-1-2-3@gmx.de wrote Thursday, October 28, 2004 17:38

> The example below will display a faked URL
> ("http://www.microsoft.com/") in the status bar of the
> window, if you move your mouse over the link. Click on the
> link and IE will go to "http://www.google.com/" and NOT to
> "http://www.microsoft.com/" .
>
> <a href="http://www.microsoft.com/"><table><tr><td><a
> href="http://www.google.com/">Click here</td></tr></table></a>

My results differ. IE6.0 SP2 +patches on XP SP2 +patches

If I hold the cursor just above the "Click here" hyperlinked text, the
status bar does display the microsoft link - but clicking there does not
take me anywhere. But if I move the tip of the cursor down onto the text, it
displays the google link. So for some users who point the cursor high on the
link, it might be of some use. But otherwise it is not too tricky.

This would be consistent with the layout since there is a hyperlinked blank
area of the table pointing at microsoft. The hyperlinked table will not
actually take me anywhere if I click on it though - it just displays the URL
in the status bar.

The effect can be dramatized by adding more table rows:
<a
href="http://www.microsoft.com/"><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/">Click here</td></tr></table></a>

I can also pad the area below the table.

<a
href="http://www.microsoft.com/"><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/">Click
here<tr><td><tr><td><tr><td><tr><td></td></tr></table></a>

Interestingly if I add table rows just before the hyperlinked text, the text
loses its hyperlinked status entirely. The blank table rows still trigger
the status bar display change, and IE "protects" me from dragging and
dropping the hyperlink, but no amount of clicking takes my browser anywhere
at all.

Add some more tr and td tags after the hyperlinked text, and it gets its
underline back but still does not take me anywhere - and it splits "Click"
and "here" onto separate lines.

<a
href="http://www.microsoft.com/"><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/"><td><tr>Click
here<tr><td><tr><td><tr><td><tr><td></td></tr></table></a>

So there is some odd stuff going on with rendering and parsing, but it looks
like it would take more experimentation to see if there is anything
exploitable here.

It could make for some irritating trouble ticket spoofs - Help! I can't
click this link!

--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

Next message: Angus Scott-Fleming: "Re: New URL spoofing bug in Microsoft Internet Explorer"

Previous message: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
Maybe in reply to: Benjamin Franz: "New URL spoofing bug in Microsoft Internet Explorer"
Next in thread: Yergeau, Tom: "Re: New URL spoofing bug in Microsoft Internet Explorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Hyperlinks and various browsers
... and when the cursor moves away from the hyperlink it changes back to ... The following browsers do not handle hyperlinks normally, i.e. the cursor ... If the browser window is active, the cursor changes when I mouseover a hyperlink. ...
(comp.sys.mac.hardware.misc)
Re: Naming a hyperlink
... Copy the hyperlink with your cursor. ... Open the new message window ant type the wordyou want to use for the link. ... Highlight these words with the cursor and then Insert | Hyperlink and Paste the link in the URL field | OK.. ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: Mouse Over Effect
... Thanks Steve... ... Script that would be more comprehensible for a novice like ... >> puts the mouse cursor over some text, a button, an image, ... >> actually CLICKING on the image to activate a hyperlink ...
(microsoft.public.frontpage.programming)
Re: How to enable both a checkbox and hyperlink in same row of a t
... or go there via a macro or a hyperlink or the GoTo dialog, ... The cursor will be forced to the next form field (or to the first one ... down to the bookmark and then is pulled back up to the checkbox. ...
(microsoft.public.word.docmanagement)
Re: Hyperlink from an image does not turn into a hand
... using a browser such as Internet Explorer I would like the cursor to turn to ... > hyperlink, ... >> Yes the screen tip comes up but the cursor does not change from the Arrow ... > ScreenTip ...
(microsoft.public.word.docmanagement)