BugTraq
New URL spoofing bug in Microsoft Internet Explorer Oct 28 2004 09:38PM
0-1-2-3 gmx de (3 replies)
New URL spoofing bug in Microsoft Internet Explorer

There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
which allowes to show any faked target-address in the status bar of the
window.

The example below will display a faked URL ("http://www.microsoft.com/") in
the status bar of the window, if you move your mouse over the link. Click
on the link and IE will go to "http://www.google.com/" and NOT to
"http://www.microsoft.com/" .

<a href="http://www.microsoft.com/"><table><tr><td><a
href="http://www.google.com/">Click here</td></tr></table></a>

Description: Microsoft Internet Explorer can't handle links surrounded by a
table and an other link correct.

The bug can be exploited using HTML mail message too.

Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
...

Workaround: Don't click on non-trusted links. Or right-click on links to
see the real target. Or use Copy-and-Paste.

Regards,
Benjamin Tobias Franz
Germany

[ reply ]
Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 04:53AM
GuidoZ (uberguidoz gmail com) (1 replies)
Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 05:34AM
GuidoZ (uberguidoz gmail com)
RE: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 02:14AM
Larry Seltzer (larry larryseltzer com) (1 replies)
Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 07:20PM
GuidoZ (uberguidoz gmail com) (1 replies)
RE: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 11:08PM
Larry Seltzer (larry larryseltzer com)
Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 12:15AM
Christopher J. Pilkington (christopher j pilkington gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus