lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4359D0A9.14601.9814F70@gmail.com>
Date: Fri Oct 21 17:40:08 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: New (19.10.05) MS-IE Url Spoofing bug (by
	K-Gen).

Raoul Nakhmanson-Kulish to me:

> >>Cross-platform code (remove line breaks to test):
> >><a href="http://www.microsoft.com" 
> >>onclick="self.location.href='http://www.google.com/';return 
> >>false;">Microsoft</a>
> >>Works OK in MSIE 6.0/Win2003 SP1 fully patched, Mozilla 1.7.12, Opera 8.50.
> > In my Win2KSP4+, Mozilla 1.0.7 it doesn't work
> Do you mean Mozilla Firefox 1.0.7?

Yes -- fingers don't work as fast as grey matter...

> Had you removed line breaks (there must be a space between "return" and
> "false")?
> Had you allowed JavaScript in your browser?

Yes, and yes, but I missed (in my hurry) that this (your?) "example" 
was not the OP's.  My comments apply to the OP's code -- in Firefox 
1.0.7 on Win2K SP4 UR1+ the spoof does NOT work -- mouse-over the link 
and it is to MS and clicking it takes you to MS.

BUT, as I also said, if you then hit "go back", instead of taking you 
to the original PoC page Firefox takes you "back" to Google (another 
"go back" takes you to the PoC page and now Google and then MS is in 
your forward browser history).

IE 6.0 SP1+ is even weirder with the original PoC, as regards "go back" 
behaviour -- it seems that trying to go back to the PoC page (from 
Google, as the forward spoof works) causes the spoof script to be re-
run, popping you back to Google despite the mouse-over location for the 
"go back" button being the URL to the PoC.  However, selecting the 
first instance of the PoC URL from the drop-down on the "go back" 
button successfully reloads the PoC page...

> I tested the code in FF 1.0.7 on fully patched Win2K SP4 UR1. It works.

Yes, your (the above) code works on Firefox 1.0.7 and does not have the 
"go back" weirdness in either Firefox or IE.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ