lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040528055741.GC1015@straylight.m.ringlet.net>
Date: Fri, 28 May 2004 08:57:42 +0300
From: Peter Pentchev <roam@...glet.net>
To: sandrijeski@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability

On Thu, May 27, 2004 at 09:53:33AM -0000, sandrijeski@...oo.com wrote:
> In-Reply-To: <40A90108.9000301@...czaba.com>
> 
> I can't see this as vulnerability because its legal code I do
> something similar without using image map for my site to hide the
> affiliate tracking code.
> 
> This is the code:
> <a onmouseover="window.status='http://www.the-url-you-see.com;return true" 
> title="The Link"
> onmouseout="window.status='Whatever-you-like-here';return true"
> href='http://www.some-other-url.com'>The link</a>
> 
> living example: http://lotdcrew.org/drunkteam_new/page/affiliates.php

Well, yes, it's true that with JavaScript and window.status we can never
trust the status line again, but the point of the original posting was
that this could be done on browsers with JavaScript *disabled*.

G'luck,
Peter

-- 
Peter Pentchev	roam@...glet.net    roam@...d.net    roam@...eBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ