lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20041029225522.30175.qmail@mail2.securityfocus.com>
Date: Fri, 29 Oct 2004 19:08:52 -0400
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "'GuidoZ'" <uberguidoz@...il.com>
Cc: <0-1-2-3@....de>, <bugtraq@...urityfocus.com>
Subject: RE: New URL spoofing bug in Microsoft Internet Explorer


Russ from NTBugTraq helped to clear some of this up. If you hover the
mouse below the actual link to Google - in a very narrow area - the
status bar will show www.microsoft.com, but clicking doesn't do
anything. So it's definitely a stupid error in IE, but the spoofing
angle in SP2 is debatable.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer@...fdavis.com 
-----Original Message-----
From: GuidoZ [mailto:uberguidoz@...il.com] 
Sent: Friday, October 29, 2004 3:20 PM
To: Larry Seltzer
Cc: 0-1-2-3@....de; bugtraq@...urityfocus.com
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer

Same version I tested, Larry. (Same results too, for the most part.) Try
looking at my page for another example (as I stated in my previous
emails), as well as a way it might "work" in a sense:
 - http://www.guidoz.com/btstatusurl.html

FYI: It seems my emails from 10/28 may have not made it to the list yet
(?). They are included.

--
Peace. ~G


On Thu, 28 Oct 2004 22:14:28 -0400, Larry Seltzer
<larry@...ryseltzer.com> wrote:
> Windows XP SP2 (IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158)
> Has no problem - the status bar says Google and the click goes to 
> Google
> 
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.ziffdavis.com/seltzer
> larryseltzer@...fdavis.com
> 
> 
> -----Original Message-----
> From: 0-1-2-3@....de [mailto:0-1-2-3@....de]
> Sent: Thursday, October 28, 2004 5:38 PM
> To: bugtraq@...urityfocus.com
> Subject: New URL spoofing bug in Microsoft Internet Explorer
> 
> New URL spoofing bug in Microsoft Internet Explorer
> 
> There is a security bug in Internet Explorer 6.0.2800.1106 (fully 
> patched), which allowes to show any faked target-address in the status

> bar of the window.
> 
> The example below will display a faked URL 
> ("http://www.microsoft.com/") in the status bar of the window, if you
move your mouse over the link.
> Click on the link and IE will go to "http://www.google.com/" and NOT 
> to "http://www.microsoft.com/" .
> 
> <a href="http://www.microsoft.com/"><table><tr><td><a
> href="http://www.google.com/">Click here</td></tr></table></a>
> 
> Description: Microsoft Internet Explorer can't handle links surrounded

> by a table and an other link correct.
> 
> The bug can be exploited using HTML mail message too.
> 
> Affected software: Microsoft Internet Explorer, Microsoft Outlook 
> Express, ...
> 
> Workaround: Don't click on non-trusted links. Or right-click on links 
> to see the real target. Or use Copy-and-Paste.
> 
> Regards,
> Benjamin Tobias Franz
> Germany
> 
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ