lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Feb 2006 20:28:51 -0500 (EST) From: "Steven M. Christey" <coley@...re.org> To: psz@...hs.usyd.edu.au, bugtraq@...urityfocus.com Subject: Re: Internet Explorer Phishing mouseover issue The "http-equiv" and "Gandalf" examples are very similar, but I think there might be some important distinctions. 1) The http-equiv example (CVE-2004-1104) uses a BASE tag with an href attribute. In the form, the A tag has an "href=" without a value. The value of the BASE HREF is displayed on the status bar when the user does a mouseover. 2) The Gandalf example (CVE-2006-0799) does not have a base href at all. But the A HREF has a value. The value of the A href is displayed on the status bar when the user does a mouseover. 3) If you use a hybrid of the two previous examples, in which both BASE and A tags specify an href, then the A HREF is displayed on the status bar when the user does a mouseover. NOTE that the following difference does not seem to have an impact: 4) the http-equiv example has the A tag outside of the form, but the Gandalf example has the A tag inside the form. Switching these around doesn't seem to affect what gets displayed. Both examples have the same problem in which the form's "action" step is not displayed in the status bar, but as we see above, there are two separate vectors with slightly different results. This was tested in IE 6.0.2900.2180 on XP. - Steve
Powered by blists - more mailing lists