Bugtraq mailing list archives
Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability
From: Robert J Taylor <robert () rjamestaylor com>
Date: Thu, 27 May 2004 13:01:13 -0700
sandrijeski () yahoo com wrote:
Being able to do something intentionally doesn't make it safe or ethical. You are hiding tracking information from the person using your site; in effect and in fact you are lying to your visitor. As a visitor to your site I would not appreciate my browser hiding the real contents of information used to track me and or hide the real purpose of a benign-looking link. I would want my browser to be my agent, not yours.In-Reply-To: <40A90108.9000301 () kurczaba com> I can't see this as vulnerability because its legal code I do something similar without using image map for my site to hide the affiliate tracking code. This is the code:<a onmouseover="window.status='http://www.the-url-you-see.com;return true" title="The Link"onmouseout="window.status='Whatever-you-like-here';return true" href='http://www.some-other-url.com'>The link</a>
Your anecdote rather establishes the vulnerability and points to its current use "in the wild."
Regards, Robert J Taylor robert-bugtraq () rjamestaylor com
Current thread:
- Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Kurczaba Associates advisories (May 17)
- <Possible follow-ups>
- RE: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Drew Copley (May 17)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability thegeekmeister (May 17)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Jan Kluka (May 18)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability sandrijeski (May 27)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Robert J Taylor (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Valdis . Kletnieks (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability Peter Pentchev (May 31)
- Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability http-equiv () excite com (May 27)