| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040721055258.38867.qmail@web21404.mail.yahoo.com> From: greyhatthe2nd at yahoo.com (John Dowling) Subject: A Popup! In Mozilla! James, That's a natural workaround to allow the site to continue to generate impressions of popups they sell. This <div> tag allows a 'chromeless window' to appear at z-index 3, floating above the normal browser window. As this image is a capture from a winXP box with default color scheme, this trick does not appear tricky at all on other systems. What does suck, however, about this method of delivery (besides getting an ad at all) is that one must hope that there is a legitimate 'close'(hide) method somewhere within the <div>, else we are left with the 'popup'. People like myself, that already have blocked the site serving the content (using HOSTS) are, well, hosed. /jd -------------------------------------------------------------------------------- Show full headers : From: James Woodcock <spamtrap2@...tarnet.com.au> [+] [ ] To: Full Disclosure <full-disclosure@...ts.netsys.com> [+] Subject: [Full-Disclosure] A Popup! In Mozilla! [ ] Date: Wed, 21 Jul 2004 14:13:09 +1000 -------------------------------------------------------------------------------- This might seem like it should be going to a webdev list, but there's a possible security implication, so here goes; http://2-spyware.com/file-cnfrm-exe.html In Mozilla 1.5 and FireFox 0.9 with the pop-up blocker turned on, I get a pop-up! It's purporting to be an important notice from my Network Administrator - you'll probably recognise it; http://2-spyware.com/images/2SPYRR1C.gif Looking at the source of the page, I see that the pop-up is being generated by a <DIV> statement that comes after the closing </html> tag which - I thought - was supposed to indicate the end of the document. Is a web browser supposed to be able to render code outside the <html></html> tags? Using IE 6.0.2800.1106, on viewing the source, I find that the DIV statement that followed the closing </html> tag is now the last statement BEFORE the </html> tag. What gives? James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/
Powered by blists - more mailing lists