lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6004a3f50410281715307b950d@mail.gmail.com>
Date: Thu, 28 Oct 2004 20:15:19 -0400
From: "Christopher J. Pilkington" <christopher.j.pilkington@...il.com>
To: "0-1-2-3@....de" <0-1-2-3@....de>
Cc: bugtraq@...urityfocus.com
Subject: Re: New URL spoofing bug in Microsoft Internet Explorer


Under IE 6.0.2900.2180, this does not occur as you describe.

If the mouse pointer is pointed to the edge around the link,
"http://www.microsoft.com" is displayed, but when the pointer is
directly over the link, "http://www.google.com" is correctly
displayed.

On Thu, 28 Oct 2004 23:38:16 +0200, 0-1-2-3@....de <0-1-2-3@....de> wrote:
> New URL spoofing bug in Microsoft Internet Explorer
> 
> There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
> which allowes to show any faked target-address in the status bar of the
> window.
> 
> The example below will display a faked URL ("http://www.microsoft.com/") in
> the status bar of the window, if you move your mouse over the link. Click
> on the link and IE will go to "http://www.google.com/" and NOT to
> "http://www.microsoft.com/" .
> 
> <a href="http://www.microsoft.com/"><table><tr><td><a
> href="http://www.google.com/">Click here</td></tr></table></a>
> 
> Description: Microsoft Internet Explorer can't handle links surrounded by a
> table and an other link correct.
> 
> The bug can be exploited using HTML mail message too.
> 
> Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
> ...
> 
> Workaround: Don't click on non-trusted links. Or right-click on links to
> see the real target. Or use Copy-and-Paste.
> 
> Regards,
> Benjamin Tobias Franz
> Germany
> 
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ