lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <006f01c4c125$798497e0$2af1b9d9@oemcomputer> Date: Tue, 2 Nov 2004 22:45:40 +0100 From: "Benjamin Tobias Franz" <0-1-2-3@....de> To: <bugtraq@...urityfocus.com> Subject: URL spoofing bug (with iframes) in Microsoft Internet Explorer (11/02/2004) URL spoofing bug (with iframes) in Microsoft Internet Explorer: (11/02/2004) There is a security bug in Microsoft Internet Explorer, which allows to show any faked target-address in the status bar of the window. The example below will display a faked URL ("http://www.microsoft.com/") in the status bar of the window, if you move your mouse over the link. Click on the link and IE will go to "http://www.google.com/" and NOT to "http://www.microsoft.com/" . HTML code for page #1 called "btf.htm": <a href="http://www.microsoft.com/"> <iframe src="./btf-spoofing.htm" frameborder="0" scrolling="no" width="70" height="25" marginheight="0" marginwidth="0"></iframe> </a> HTML code for page #2 called "btf-spoofing.htm": <a href="http://www.google.com/" target="_top">Click here</a> Save both codes as HTML files in the same directory and open "btf.htm" with Microsoft Internet Explorer. Description: Microsoft Internet Explorer can not handle embedded frames with links surrounded by an other link correct. Successful exploitation allows a malicious web site to obfuscate URLs in the status bar, even when javascript support has been disabled. Affected software: Microsoft Internet Explorer Workaround: Never follow links from untrusted sources. Or right-click on links ans select "Properties" to see the real target. Or use Copy-and-Paste. Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all patches installed on Windows 98. I see "http://www.microsoft.com/" in status bar. ONLY if I press tabulator-key 3x (to jump to next link) or click on the link, then I can see correct info ("http://www.google.com/") in status bar. My DLL versions: MSHTML.DLL: 6.00.2800.1477 BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003) SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003) SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705) URLMON.DLL: 6.00.2800.1475 WININET.DLL: 6.00.2800.1475 Regards, Benjamin Tobias Franz Germany
Powered by blists - more mailing lists