Re: New URL spoofing bug in Microsoft Internet Explorer
From: Marjolein Katsma (hl4s6u0p1y001_at_SNEAKEMAIL.COM)
Date: 10/30/04
- Previous message: Yergeau, Tom: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- In reply to: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Russ Thomas: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Oct 2004 09:31:31 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
At 22:19 2004-10-29, you wrote:
>In isolation, the google href may appear to be the most well-formed, but
>since HTML shouldn't be treated as isolated data islands, but instead as a
>sequence from beginning to end, the fact that XP SP2 renders
>www.google.com as the link is just wrong (even if it does mean the
>spoofing attempt fails.)
Excuse me, but I beg to differ.
The HTML standards have some rules and guidelines for how to render valid
code - they do NOT have guidelines for how to render invalid code. And the
example code given clearly is invalid. But there is no "right" or "wrong"
with what a browser does with that.
When a browser (any user agent) encounters invalid code, it can do anything
it "thinks" is appropriate with it (one reason why so many browsers are so
bloated: they do a lot of guesswork). There are no rules.
There are, in fact two errors with the code:
- an anchor cannot contain a block (and a table is a block)
- anchors cannot be nested
What "should" a browser do with these?
- If one takes the first rule, then it seems "natural" for a browser that
does even a little bit of validation in its attempts to guess to discard
the first opening a tag upon encountering the opening table tag going on a
general rule of thumb that an opening block-level tag ends whatever connot
contain a block. (This is why a new opening p tag starts a new paragraph
even if it isn't preceded by a closing p tag.)
- If one takes the second rule - what to do? what to do? Since anchors
cannot be nested, discarding the first opening anchor tag OR ignoring the
second opening tag would seem equally sensible.
The vulnerability, as explained, is a special case of user agents doing
guesswork on invalid code (trying to be helpful, but you can't always guess
an author's intentions). It would probably help if browsers had a
(user-selectable) mode to discard all invalid code and simply give an error
message or at least a warning.
Put differently: the case outlined is certainly a vulnerability; but I
would not classify it as a *bug* since there is no expected, or defined,
behavior for what a browser should do with invalid code. All you can say is
that the behavior as described is "undesirable" - but that is not the same
as a bug.
-- Marjolein Katsma Travel Blog: http://iamback.com/blog/ Spam Reporting Addresses: http://banspam............../report3.html -- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Previous message: Yergeau, Tom: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- In reply to: Russ: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Russ Thomas: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
