Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability

[Robert J Taylor <robert () rjamestaylor com>]

sandrijeski () yahoo com wrote:

> In-Reply-To: <40A90108.9000301 () kurczaba com>
>
> I can't see this as vulnerability because its legal code I do something similar without using image map for my site to 
> hide the affiliate tracking code.
> This is the code:
> <a onmouseover="window.status='http://www.the-url-you-see.com;return true" 
> title="The Link"
> onmouseout="window.status='Whatever-you-like-here';return true"
> href='http://www.some-other-url.com&apos;>The link</a>
>
>  
Being able to do something intentionally doesn't make it safe or 
ethical. You are hiding tracking information from the person using your 
site; in effect and in fact you are lying to your visitor.  As a visitor 
to your site I would not appreciate my browser hiding the real contents 
of information used to track me and or hide the real purpose of a 
benign-looking link. I would want my browser to be my agent, not yours.

Your anecdote rather establishes the vulnerability and points to its 
current use "in the wild."


Regards,

Robert J Taylor
robert-bugtraq () rjamestaylor com