lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Oct 20 19:35:12 2005
From: mike.camden at gmail.com (Mike Camden)
Subject: New (19.10.05) MS-IE Url Spoofing bug (by
	K-Gen).

I thought this was by design since you may have a known url to go to but
only after some form of validation has been passed.


 On 10/20/05, K-Gen Gen <alphakgen@...il.com> wrote:
>
> New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
>
> Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE.
>
> Affected : All MS-IE Browsers (Win XP SP2 as well).
>
> This allows a malicious website to host a specially crafted A HREF tag
> that shows to the user
> as a link to one location, but actually redirects to another. This can
> be used in Phishing scams
> and other malicious attacks.
>
> The basic idea here is to write a geniune <a href=""> </a>tag but
> include an onClick event handeler
> that will redirect (window.location="";) to another page. The next
> example won't work:
>
> <a href="http://microsoft.com"
> onClick="window.location='http://google.com';">Microsoft</a>
>
> Probably there is some protection in IE .. but not enough :)
>
> If we try the next thing:
>
> <a href="http://microsoft.com" onClick="alert()">Microsoft</a>
>
> An alert WILL pop-up before redirecting. The same thing will happen to
> the document.write("");
> method, it will execute before redirection.
>
> Hence, the next Proof of Concept:
>
> <a href="http://microsoft.com"
> onClick="document.write
> (unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e'))">Microsoft</a>
>
> Put the code into an HTML page and see for yourself. In the status bar
> and in the properties the
> link appears as http://microsoft.com , but if you click on the link it
> will redirect you to
> http://google.com .
>
> I used unescape becuse characters like < > and ' cause run-time errors...
>
> This is not extremely critical as the old %01@ bug (That still works
> on my IE sp1 :lol:), becuase
> It does not obscure the real link in the Address bar, but i bet there
> will be a PoC for this one too, sooner or later...
>
> Have a Nice Day.
> K-Gen
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051020/51dac1df/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ