| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jun 2004 17:17:24 +0200 From: "Martijn Brinkers" <m.brinkers@...ox.com> To: <bugtraq@...urityfocus.com> Subject: ActiveX control download and redirection Hi, I have been playing around with ActiveX controls and I noticed that IE shows the complete URL even though the download has been redirected. From a user perspective its a bit unclear where the actual ActiveX control is downloaded from. example can be found on (a self signed ActiveX control will be downloaded): http://www.brinkers.cistron.nl/RedirectYahoo.htm It contains the following <OBJECT> tag. <OBJECT classid="clsid:6A9F9438-754D-4D6A-932C-9C28405634F6" codebase="http://rds.yahoo.com/*http://www.brinkers.cistron.nl/RedirectTestP roj1.cab#version=1,0,0,0" > IE now shows a dialog ( http://www.brinkers.cistron.nl/activex.jpg ) indicating the ActiveX control comes from: http://rds.yahoo.com/*http://www.brinkers.cistron.nl/RedirectTestProj1.cab but it is actually downloaded from http://www.brinkers.cistron.nl Its probably the correct behavior (by design) but I think it can be misused in some ways? Any comments? Martijn Brinkers m.brinkers@...ox.com
Powered by blists - more mailing lists