| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: sec-adv at secunia.com (Secunia Security Advisories) Subject: [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing -- A joke ? (Modifié par ZATAZ) Hello, Is this adviso or all other adviso related to the status bar spoofing a joke ???? If not then Mozilla, Firefox and some other's browsers are vulnerable to this kind off spoofing ..... Take a look : http://www.zataz.net/dev/lol-browser-spoofing.html Vulnerable : Mozilla (all versions) Internet Explorer (all versions) others .... Firefox : he display nothing, but normally should display the URL, it is spoofing ? LOL Bye, bye status bar, bye bye funny message in status bar, spoofing paranoiac has kill you. Regards. Eric Romang ------------------------------------------------------------------------ -------------------------------------------------- TITLE: Internet Explorer/Outlook Express Status Bar Spoofing SECUNIA ADVISORY ID: SA14304 VERIFY ADVISORY: http://secunia.com/advisories/14304/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: From remote SOFTWARE: Microsoft Outlook Express 6 http://secunia.com/product/102/ Microsoft Internet Explorer 6 http://secunia.com/product/11/ DESCRIPTION: bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs. It is by default possible for script code to manipulate information displayed in the status bar. However, an error allows manipulation of the status bar without using any script code (e.g. in the "Restricted sites" zone). This can be exploited by including a "label" tag for a link, which manipulates the link's appearance via some specially crafted HTML code. This weakness is a variant of: SA11273 SA11582 SA13015 Example: <p><a id="SPOOF" href="[malicious_site]"></a></p> <div> <a href="[trusted_site]"> <table> <caption> <a href="[trusted_site]"> <label for="SPOOF"> <u style="cursor: pointer; color: blue"> [trusted_site] </u> </label> </a> </caption> </table> </a> </div> The weakness has been confirmed in version 6.0 on a fully patched system running Windows XP with SP2 installed. Other versions may also be affected. SOLUTION: Never follow links from untrusted sources. PROVIDED AND/OR DISCOVERED BY: bitlance winter OTHER REFERENCES: SA11273: http://secunia.com/advisories/11273/ SA11582 http://secunia.com/advisories/11582/ SA13015: http://secunia.com/advisories/13015/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=eromang%40zataz.net ----------------------------------------------------------------------
Powered by blists - more mailing lists