lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Oct 2004 22:03:38 -0400 From: "Paul Kurczaba" <paul@...pis.com> To: "Andrew Hunter" <andiroohunter@....com>, <bugtraq@...urityfocus.com> Subject: Re: [IE 6 SP2] Possible URL Spoofing I realize that while many would be fooled, many wouldn't be, because the frame is very visible; as shown here: http://www.kurczaba.com/images/iespoof.png. Though, as you said, there is probably a way to bypass the homepage verification dialog. It is just a matter of time :) Just my 2 cents, Paul ----- Original Message ----- From: "Andrew Hunter" <andiroohunter@....com> To: <bugtraq@...urityfocus.com> Sent: Friday, October 15, 2004 5:50 PM Subject: [IE 6 SP2] Possible URL Spoofing > Program: IE 6 Sp2 > Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 > OS: Windows XP Home SP2 > > I was just messing around with IE, playing with JavaScript. > It's a well known fact that IE lets you run javascript from the address > bar: > > e.g Type the following into the address bar: javascript:alert('IE Sucks Go > Get > FireFox');document.location="http://www.mozilla.org/products/firefox/"; > > That address will display a message box and then take you to the firefox > download page. I then started to wonder what would happen if i set a > similar address as my homepage. So i went and did exactly that. It was > ammusing to see IE display "You Smell" when i clicked the homepage button. > > I closed IE, and just dismissed the idea. Later on when i clicked the IE > logo i heard the sound that windows makes when a message box is displayed. > I couldn't see anything and IE failed to open. > > I pressed Ctrl-Alt-Del and just caught a glimps of it closing. > > I experimented more with setting the homepage to different things when i > came accross this: > > javascript:document.write("<iframe src='http://www.google.com' > width='100%' height='100%'></iframe>"); > > I went to www.slashdot.org and pressed my homepage button. Lo and behold > google appeared on my screen and the address was still www.slashdot.org! > > I couldn't find any JavaScript to auto set this as the homepage without > asking the user to varify this, but i think there may be other ways in > which this hole can be exploited! > > _________________________________________________________________ > Want to block unwanted pop-ups? Download the free MSN Toolbar now! > http://toolbar.msn.co.uk/ > >
Powered by blists - more mailing lists