New URL spoofing bug in Microsoft Internet Explorer

0-1-2-3_at_gmx.de
Date: 10/28/04

  • Next message: Thierry Carrez: "[ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf" 
    To: <bugtraq@securityfocus.com>
Date: Thu, 28 Oct 2004 23:38:16 +0200

    New URL spoofing bug in Microsoft Internet Explorer

    There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
    which allowes to show any faked target-address in the status bar of the
    window.

    The example below will display a faked URL ("http://www.microsoft.com/") in
    the status bar of the window, if you move your mouse over the link. Click
    on the link and IE will go to "http://www.google.com/" and NOT to
    "http://www.microsoft.com/" .

    <a href="http://www.microsoft.com/"><table><tr><td><a
    href="http://www.google.com/">Click here</td></tr></table></a>

    Description: Microsoft Internet Explorer can't handle links surrounded by a
    table and an other link correct.

    The bug can be exploited using HTML mail message too.

    Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
    ...

    Workaround: Don't click on non-trusted links. Or right-click on links to
    see the real target. Or use Copy-and-Paste.

    Regards,
    Benjamin Tobias Franz
    Germany

  • Next message: Thierry Carrez: "[ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf"

    Relevant Pages
    • Quantcast