Re: New URL spoofing bug in Microsoft Internet Explorer
From: GuidoZ (uberguidoz_at_gmail.com)
Date: 10/29/04
- Previous message: Michael Shigorin: "Re: Update: Web browsers - a mini-farce (MSIE gives in)"
- In reply to: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Reply: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 15:20:21 -0400 To: Larry Seltzer <larry@larryseltzer.com>
Same version I tested, Larry. (Same results too, for the most part.)
Try looking at my page for another example (as I stated in my previous
emails), as well as a way it might "work" in a sense:
- http://www.guidoz.com/btstatusurl.html
FYI: It seems my emails from 10/28 may have not made it to the list
yet (?). They are included.
-- Peace. ~G On Thu, 28 Oct 2004 22:14:28 -0400, Larry Seltzer <larry@larryseltzer.com> wrote: > Windows XP SP2 (IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158) > Has no problem - the status bar says Google and the click goes to Google > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.ziffdavis.com/seltzer > larryseltzer@ziffdavis.com > > > -----Original Message----- > From: 0-1-2-3@gmx.de [mailto:0-1-2-3@gmx.de] > Sent: Thursday, October 28, 2004 5:38 PM > To: bugtraq@securityfocus.com > Subject: New URL spoofing bug in Microsoft Internet Explorer > > New URL spoofing bug in Microsoft Internet Explorer > > There is a security bug in Internet Explorer 6.0.2800.1106 (fully > patched), which allowes to show any faked target-address in the status > bar of the window. > > The example below will display a faked URL ("http://www.microsoft.com/") > in the status bar of the window, if you move your mouse over the link. > Click on the link and IE will go to "http://www.google.com/" and NOT to > "http://www.microsoft.com/" . > > <a href="http://www.microsoft.com/"><table><tr><td><a > href="http://www.google.com/">Click here</td></tr></table></a> > > Description: Microsoft Internet Explorer can't handle links surrounded > by a table and an other link correct. > > The bug can be exploited using HTML mail message too. > > Affected software: Microsoft Internet Explorer, Microsoft Outlook > Express, ... > > Workaround: Don't click on non-trusted links. Or right-click on links to > see the real target. Or use Copy-and-Paste. > > Regards, > Benjamin Tobias Franz > Germany > >
- Previous message: Michael Shigorin: "Re: Update: Web browsers - a mini-farce (MSIE gives in)"
- In reply to: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Next in thread: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Reply: Larry Seltzer: "RE: New URL spoofing bug in Microsoft Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
