lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA2701966F8F@dc1ms2.msad.brookshires.net>
Date: Thu Oct 20 19:12:39 2005
From: toddtowles at brookshires.com (Todd Towles)
Subject: New (19.10.05) MS-IE Url Spoofing bug (by
	K-Gen).

It didn't work for me..but once I turned off the pop-up blocker off it
did appear to work. 

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of K-Gen Gen
> Sent: Thursday, October 20, 2005 4:49 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing 
> bug (by K-Gen).
> 
> New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
> 
> Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing 
> bug in IE.
> 
> Affected : All MS-IE Browsers (Win XP SP2 as well).
> 
> This allows a malicious website to host a specially crafted A 
> HREF tag that shows to the user as a link to one location, 
> but actually redirects to another. This can be used in 
> Phishing scams and other malicious attacks.
> 
> The basic idea here is to write a geniune <a href=""> </a>tag 
> but include an onClick event handeler that will redirect 
> (window.location="";) to another page. The next example won't work:
> 
> <a href="http://microsoft.com"
> onClick="window.location='http://google.com';">Microsoft</a>
> 
> Probably there is some protection in IE .. but not enough :)
> 
> If we try the next thing:
> 
> <a href="http://microsoft.com" onClick="alert()">Microsoft</a>
> 
> An alert WILL pop-up before redirecting. The same thing will 
> happen to the document.write(""); method, it will execute 
> before redirection.
> 
> Hence, the next Proof of Concept:
> 
> <a href="http://microsoft.com"
> onClick="document.write(unescape('%3cscript%3ewindow.location=
> %27http://google.com%27%3c/script%3e'))">Microsoft</a>
> 
> Put the code into an HTML page and see for yourself. In the 
> status bar and in the properties the link appears as 
> http://microsoft.com , but if you click on the link it will 
> redirect you to http://google.com .
> 
> I used unescape becuse characters like < > and ' cause 
> run-time errors...
> 
> This is not extremely critical as the old %01@ bug (That 
> still works on my IE sp1 :lol:), becuase It does not obscure 
> the real link in the Address bar, but i bet there will be a 
> PoC for this one too, sooner or later...
> 
> Have a Nice Day.
> K-Gen
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ