lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 22 Feb 2006 20:28:51 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: psz@...hs.usyd.edu.au, bugtraq@...urityfocus.com
Subject: Re: Internet Explorer Phishing mouseover issue



The "http-equiv" and "Gandalf" examples are very similar, but I think
there might be some important distinctions.

1) The http-equiv example (CVE-2004-1104) uses a BASE tag with an href
   attribute.  In the form, the A tag has an "href=" without a value.

   The value of the BASE HREF is displayed on the status bar when the
   user does a mouseover.

2) The Gandalf example (CVE-2006-0799) does not have a base href at
   all.  But the A HREF has a value.

   The value of the A href is displayed on the status bar when the
   user does a mouseover.

3) If you use a hybrid of the two previous examples, in which both
   BASE and A tags specify an href, then the A HREF is displayed on
   the status bar when the user does a mouseover.

NOTE that the following difference does not seem to have an impact:

4) the http-equiv example has the A tag outside of the form, but the
   Gandalf example has the A tag inside the form.  Switching these
   around doesn't seem to affect what gets displayed.


Both examples have the same problem in which the form's "action" step
is not displayed in the status bar, but as we see above, there are two
separate vectors with slightly different results.

This was tested in IE 6.0.2900.2180 on XP.

- Steve


Powered by blists - more mailing lists