Message-ID: <20030513115605.29605.qmail@www.securityfocus.com>
Date: 13 May 2003 11:56:05 -0000
From: Liu Die Yu <liudieyuinchina@...oo.com.cn>
To: bugtraq@...urityfocus.com
Subject: fake location bar




fake location bar 
("that's all" is end of file if you are in a hurry)

[tested]
Browser Ver:"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) 
Gecko/20030208 Netscape/7.02 "
OS Ver: "Windows XP Cn ver"

[demo]
http://liudieyuinchina.vip.sina.com/NSNVBackFake/NSNVBackFake-MyPage.htm

[screenshot]
http://liudieyuinchina.vip.sina.com/NSNVBackFake/NSNVBackFake-
Screenshot.htm

[exp]
you open 
[CODE.URL]javascript:'some text'
in a new window.
then navigate that window to 'http://www.google.com'. 
at last, "history.back()" to make it back to 'some text'.

as you can see in the demo:
location bar is faked.


that's all


[how]
i often check netscape navigator's version by 
menu item: "Help" --> "About Netscape",
which navigates my browser to "about:".
after checking it, i navigated to another URL. accidently i 
pressed "Back", then the location bar didn't match content. 

after several mechanical tries, i got this.


[Krade Internal Test]
i am developing a new plugin for Internet Explorer:

http://liudieyuinchina.vip.sina.com/KradeInternalTest

it's a BHO(browser helper object) enhancing web surfing. 
i'll try my best to realize requested features sent to me. so feel free to 
request features. 
 
[greetings]
after gean discarded me, life is becoming harder and harder. i would like 
to thank the following people who continuously help me:

the pull
dror (www.SafeCenter.net)
and always: mom& dad.


in the very end: thanx for reading, all readers.


best wishes

-----
if you can't access resources mentioned in this document, try:
http://umbrella.mx.tc

Powered by blists - more mailing lists