lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40B64909.8050504@rjamestaylor.com>
Date: Thu, 27 May 2004 13:01:13 -0700
From: Robert J Taylor <robert@...mestaylor.com>
To: sandrijeski@...oo.com, bugtraq@...urityfocus.com
Subject: Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability


sandrijeski@...oo.com wrote:

>In-Reply-To: <40A90108.9000301@...czaba.com>
>
>I can't see this as vulnerability because its legal code I do something similar without using image map for my site to hide the affiliate tracking code.
>This is the code:
><a onmouseover="window.status='http://www.the-url-you-see.com;return true" 
>title="The Link"
>onmouseout="window.status='Whatever-you-like-here';return true"
>href='http://www.some-other-url.com'>The link</a>
>
>  
>
Being able to do something intentionally doesn't make it safe or 
ethical. You are hiding tracking information from the person using your 
site; in effect and in fact you are lying to your visitor.  As a visitor 
to your site I would not appreciate my browser hiding the real contents 
of information used to track me and or hide the real purpose of a 
benign-looking link. I would want my browser to be my agent, not yours.

Your anecdote rather establishes the vulnerability and points to its 
current use "in the wild."


Regards,

Robert J Taylor
robert-bugtraq@...mestaylor.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ