Full Disclosure mailing list archives
Re: Mouseover URL spoof with IE
From: Martin Stricker <shugal () gmx de>
Date: Wed, 09 Feb 2005 23:02:25 +0100
Danny wrote:
On Wed, 9 Feb 2005 12:24:29 -0800, Thor Larholm wrote:
The addressbar can by design be programmatically changed to display anything you want at any time, including when you hover over a link and the onmouseover event fires. Simply change the window.status property from JS.Based on my answer above, I take this as a definite "yes" by the means of the web designer/developer simply changing the window.status property in their java script?
<a href="http://bad-site.xx/" onmouseover="javascript:window.status='http://nice-site.xx';">blah</a> If you point your mouse over that link, you'll see "http://nice-site.xx" in the status bar, but clicking will lead you to http://bad-site.xx/. This is already widely used in spoof e-mails. [.xx is a ccTLD which, per RFC and ISO standard, will *never* be used, so my example domains will never exist. Just a precaution.] Best regards, Martin Stricker -- Homepage: http://www.martin-stricker.de/ Linux Migration Project: http://www.linux-migration.org/ Red Hat Linux 9 for low memory: http://www.rule-project.org/ Registered Linux user #210635: http://counter.li.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mouseover URL spoof with IE Danny (Feb 09)
- Re: Mouseover URL spoof with IE Valdis . Kletnieks (Feb 09)
- <Possible follow-ups>
- RE: Mouseover URL spoof with IE Thor Larholm (Feb 09)
- Re: Mouseover URL spoof with IE Danny (Feb 09)
- Re: Mouseover URL spoof with IE Martin Stricker (Feb 09)
- Re: Mouseover URL spoof with IE bkfsec (Feb 10)
- Re: Mouseover URL spoof with IE Danny (Feb 09)