[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9DC192419E5E924F9025E2C2A738490B319C9D@ntserver>
Date: Tue, 11 May 2004 14:48:03 +0100
From: "Carl" <carl@...nda-rm.co.uk>
To: <bugtraq@...urityfocus.com>
Subject: Hiding URLs from Outlook and other mail clients
Today, one of our staff began receiving emails containing URL's similar
to this:
http://drs.yahoo.com/www.example.com/NEWS/*http://slashdot.org/#http://d
rs.yahoo.com/www.example.com/NEWS
When the link is viewed in Outlook (and also Kontact/Kmail), it only
displays the portion before the asterisk:
http://drs.yahoo.com/www.example.com/NEWS/
However, when the link is clicked, drs.yahoo.com issues an HTTP 302 and
redirects the browser to the site after the asterisk.
The URL our user received in her email redirected her to:
http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/terra.ht
ml
This HTML page then redirects the browser (using javascript) to:
http://www.danni.com/free/modelsdir.html (NOT work safe - it's a soft
porn site).
The worrying part for us was that both Outlook 2000 _and_ Kmail (only
after enabling the HTML facility) only displayed the portion of the URL
before the asterisk, making it easy to trick users into clicking
malicious links. Is this 'bug' actually a 'feature', a 'standard' or
just a coincidence?
Carl.
DISCLAIMER
Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited.
Powered by blists - more mailing lists