lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Oct 21 18:31:39 2005
From: jakecoleus at yahoo.com (Jake Cole)
Subject: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen)

--- Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:
> "expected" and "most" don't quite tie up.  Is it
> "expected" or not?
> 
> Hmmmm -- a "Firefox version"??
> 
> Suggests that it is not quite entirely "expected",
> eh?
> 
> More that it is a corner case, or perhaps, even --
> gasp -- undefined, 
> no??
>

You've turned a technical discussion into a nitpick
over poorly chosen words. I fail to see what that
accomplishes.

The original author posted an example which was not
cross-browser for reasons not related to the
"exploit". IE uses document.write on the _current_
document yet Mozilla uses it in its original called
context. I simply added a SetTimeout to force Mozilla
to delay the call by a few milliseconds (FYI, the
"Firefox Version" works in IE also). But this little
browser inconsistency is meaningless because there are
dozens of other cross-browser methods to accomplish
the redirection without using document.write or
SetTimeout, as shown in the previous poster's example
using 'self.location.href'.

It is "expected" that when the user clicks on an
anchor tag, any action specified in the onClick event
will be executed. This is defined by the W3C spec and
consistent across all browsers. If one of several
scripting languages is enabled, the onClick event can
perform any of an endless number of actions. It can
create a mouseover, open a new window, call another
script, load an external object, close the browser,
and, yeah, it can even tell your browser to go to
google.com. All of these actions are potentially
malicious and may not be what the end-user expects.

Your argument that this is not sane behavior may be
valid but this behavior is as old as the web as we
know it. The time to speak up was almost a decade ago
because, without massive ramifications to the
functionality of millions of websites, not much is
going to completely "fix" it now.

This has gone way off track.


		
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ