lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 May 2004 13:01:13 -0700 From: Robert J Taylor <robert@...mestaylor.com> To: sandrijeski@...oo.com, bugtraq@...urityfocus.com Subject: Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability sandrijeski@...oo.com wrote: >In-Reply-To: <40A90108.9000301@...czaba.com> > >I can't see this as vulnerability because its legal code I do something similar without using image map for my site to hide the affiliate tracking code. >This is the code: ><a onmouseover="window.status='http://www.the-url-you-see.com;return true" >title="The Link" >onmouseout="window.status='Whatever-you-like-here';return true" >href='http://www.some-other-url.com'>The link</a> > > > Being able to do something intentionally doesn't make it safe or ethical. You are hiding tracking information from the person using your site; in effect and in fact you are lying to your visitor. As a visitor to your site I would not appreciate my browser hiding the real contents of information used to track me and or hide the real purpose of a benign-looking link. I would want my browser to be my agent, not yours. Your anecdote rather establishes the vulnerability and points to its current use "in the wild." Regards, Robert J Taylor robert-bugtraq@...mestaylor.com
Powered by blists - more mailing lists