lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Oct 2004 13:39:12 +0200
From: "Dror Shalev" <dshalev@...jan.com>
To: "Paul Kurczaba" <paul@...pis.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: [IE 6 SP2] Possible URL Spoofing



<snip>

> javascript:document.write("<iframe src='http://www.google.com' 
> width='100%' height='100%'></iframe>");

</snip>


If you put <iframe frameborder=0 scrolling=no height=100% width=100%
src='http://www.google.com'></iframe>

And the Frame become invisible.

Dror

  
-----Original Message-----
From: Paul Kurczaba [mailto:paul@...pis.com] 
Sent: Saturday, October 16, 2004 4:04 AM
To: Andrew Hunter; bugtraq@...urityfocus.com
Subject: Re: [IE 6 SP2] Possible URL Spoofing

I realize that while many would be fooled, many wouldn't be, because the

frame is very visible; as shown here: 
http://www.kurczaba.com/images/iespoof.png.

Though, as you said, there is probably a way to bypass the homepage 
verification dialog.

It is just a matter of time :)

Just my 2 cents,
Paul
----- Original Message ----- 
From: "Andrew Hunter" <andiroohunter@....com>
To: <bugtraq@...urityfocus.com>
Sent: Friday, October 15, 2004 5:50 PM
Subject: [IE 6 SP2] Possible URL Spoofing


> Program: IE 6 Sp2
> Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
> OS: Windows XP Home SP2
>
> I was just messing around with IE, playing with JavaScript.
> It's a well known fact that IE lets you run javascript from the
address 
> bar:
>
> e.g Type the following into the address bar: javascript:alert('IE
Sucks Go 
> Get 
>
FireFox');document.location="http://www.mozilla.org/products/firefox/";
>
> That address will display a message box and then take you to the
firefox 
> download page. I then started to wonder what would happen if i set a 
> similar address as my homepage. So i went and did exactly that.  It
was 
> ammusing to see IE display "You Smell" when i clicked the homepage
button.
>
> I closed IE, and just dismissed the idea. Later on when i clicked the
IE 
> logo i heard the sound that windows makes when a message box is
displayed. 
> I couldn't see anything and IE failed to open.
>
> I pressed Ctrl-Alt-Del and just caught a glimps of it closing.
>
> I experimented more with setting the homepage to different things when
i 
> came accross this:
>
> javascript:document.write("<iframe src='http://www.google.com' 
> width='100%' height='100%'></iframe>");
>
> I went to www.slashdot.org and pressed my homepage button. Lo and
behold 
> google appeared on my screen and the address was still
www.slashdot.org!
>
> I couldn't find any JavaScript to auto set this as the homepage
without 
> asking the user to varify this, but i think there may be other ways in

> which this hole can be exploited!
>
> _________________________________________________________________
> Want to block unwanted pop-ups? Download the free MSN Toolbar now! 
> http://toolbar.msn.co.uk/
>
> 




-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ