|
|
BugTraq
New URL spoofing bug in Microsoft Internet Explorer Oct 28 2004 09:38PM 0-1-2-3 gmx de (3 replies) Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 04:53AM GuidoZ (uberguidoz gmail com) (1 replies) Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 05:34AM GuidoZ (uberguidoz gmail com) Re: New URL spoofing bug in Microsoft Internet Explorer Oct 29 2004 12:15AM Christopher J. Pilkington (christopher j pilkington gmail com) |
|
Privacy Statement |
Has no problem - the status bar says Google and the click goes to Google
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer (at) ziffdavis (dot) com [email concealed]
-----Original Message-----
From: 0-1-2-3 (at) gmx (dot) de [email concealed] [mailto:0-1-2-3 (at) gmx (dot) de [email concealed]]
Sent: Thursday, October 28, 2004 5:38 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: New URL spoofing bug in Microsoft Internet Explorer
New URL spoofing bug in Microsoft Internet Explorer
There is a security bug in Internet Explorer 6.0.2800.1106 (fully
patched), which allowes to show any faked target-address in the status
bar of the window.
The example below will display a faked URL ("http://www.microsoft.com/")
in the status bar of the window, if you move your mouse over the link.
Click on the link and IE will go to "http://www.google.com/" and NOT to
"http://www.microsoft.com/" .
<a href="http://www.microsoft.com/"><table><tr><td><a
href="http://www.google.com/">Click here</td></tr></table></a>
Description: Microsoft Internet Explorer can't handle links surrounded
by a table and an other link correct.
The bug can be exploited using HTML mail message too.
Affected software: Microsoft Internet Explorer, Microsoft Outlook
Express, ...
Workaround: Don't click on non-trusted links. Or right-click on links to
see the real target. Or use Copy-and-Paste.
Regards,
Benjamin Tobias Franz
Germany
[ reply ]