I realize that while many would be fooled, many wouldn't be, because the
frame is very visible; as shown here:
http://www.kurczaba.com/images/iespoof.png.
Though, as you said, there is probably a way to bypass the homepage
verification dialog.
It is just a matter of time :)
Just my 2 cents,
Paul
----- Original Message -----
From: "Andrew Hunter" <andiroohunter (at) msn (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, October 15, 2004 5:50 PM
Subject: [IE 6 SP2] Possible URL Spoofing
> Program: IE 6 Sp2
> Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
> OS: Windows XP Home SP2
>
> I was just messing around with IE, playing with JavaScript.
> It's a well known fact that IE lets you run javascript from the address
> bar:
>
> e.g Type the following into the address bar: javascript:alert('IE Sucks Go
> Get
> FireFox');document.location="http://www.mozilla.org/products/firefox/";
>
> That address will display a message box and then take you to the firefox
> download page. I then started to wonder what would happen if i set a
> similar address as my homepage. So i went and did exactly that. It was
> ammusing to see IE display "You Smell" when i clicked the homepage button.
>
> I closed IE, and just dismissed the idea. Later on when i clicked the IE
> logo i heard the sound that windows makes when a message box is displayed.
> I couldn't see anything and IE failed to open.
>
> I pressed Ctrl-Alt-Del and just caught a glimps of it closing.
>
> I experimented more with setting the homepage to different things when i
> came accross this:
>
> javascript:document.write("<iframe src='http://www.google.com'
> width='100%' height='100%'></iframe>");
>
> I went to www.slashdot.org and pressed my homepage button. Lo and behold
> google appeared on my screen and the address was still www.slashdot.org!
>
> I couldn't find any JavaScript to auto set this as the homepage without
> asking the user to varify this, but i think there may be other ways in
> which this hole can be exploited!
>
> _________________________________________________________________
> Want to block unwanted pop-ups? Download the free MSN Toolbar now!
> http://toolbar.msn.co.uk/
>
>
frame is very visible; as shown here:
http://www.kurczaba.com/images/iespoof.png.
Though, as you said, there is probably a way to bypass the homepage
verification dialog.
It is just a matter of time :)
Just my 2 cents,
Paul
----- Original Message -----
From: "Andrew Hunter" <andiroohunter (at) msn (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, October 15, 2004 5:50 PM
Subject: [IE 6 SP2] Possible URL Spoofing
> Program: IE 6 Sp2
> Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
> OS: Windows XP Home SP2
>
> I was just messing around with IE, playing with JavaScript.
> It's a well known fact that IE lets you run javascript from the address
> bar:
>
> e.g Type the following into the address bar: javascript:alert('IE Sucks Go
> Get
> FireFox');document.location="http://www.mozilla.org/products/firefox/";
>
> That address will display a message box and then take you to the firefox
> download page. I then started to wonder what would happen if i set a
> similar address as my homepage. So i went and did exactly that. It was
> ammusing to see IE display "You Smell" when i clicked the homepage button.
>
> I closed IE, and just dismissed the idea. Later on when i clicked the IE
> logo i heard the sound that windows makes when a message box is displayed.
> I couldn't see anything and IE failed to open.
>
> I pressed Ctrl-Alt-Del and just caught a glimps of it closing.
>
> I experimented more with setting the homepage to different things when i
> came accross this:
>
> javascript:document.write("<iframe src='http://www.google.com'
> width='100%' height='100%'></iframe>");
>
> I went to www.slashdot.org and pressed my homepage button. Lo and behold
> google appeared on my screen and the address was still www.slashdot.org!
>
> I couldn't find any JavaScript to auto set this as the homepage without
> asking the user to varify this, but i think there may be other ways in
> which this hole can be exploited!
>
> _________________________________________________________________
> Want to block unwanted pop-ups? Download the free MSN Toolbar now!
> http://toolbar.msn.co.uk/
>
>
[ reply ]