Full Disclosure mailing list archives
Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 22 Oct 2005 05:39:54 +1300
Raoul Nakhmanson-Kulish to me:
Cross-platform code (remove line breaks to test): <a href="http://www.microsoft.com" onclick="self.location.href='http://www.google.com/';return false;">Microsoft</a> Works OK in MSIE 6.0/Win2003 SP1 fully patched, Mozilla 1.7.12, Opera 8.50.In my Win2KSP4+, Mozilla 1.0.7 it doesn't workDo you mean Mozilla Firefox 1.0.7?
Yes -- fingers don't work as fast as grey matter...
Had you removed line breaks (there must be a space between "return" and "false")? Had you allowed JavaScript in your browser?
Yes, and yes, but I missed (in my hurry) that this (your?) "example" was not the OP's. My comments apply to the OP's code -- in Firefox 1.0.7 on Win2K SP4 UR1+ the spoof does NOT work -- mouse-over the link and it is to MS and clicking it takes you to MS. BUT, as I also said, if you then hit "go back", instead of taking you to the original PoC page Firefox takes you "back" to Google (another "go back" takes you to the PoC page and now Google and then MS is in your forward browser history). IE 6.0 SP1+ is even weirder with the original PoC, as regards "go back" behaviour -- it seems that trying to go back to the PoC page (from Google, as the forward spoof works) causes the spoof script to be re- run, popping you back to Google despite the mouse-over location for the "go back" button being the URL to the PoC. However, selecting the first instance of the PoC URL from the drop-down on the "go back" button successfully reloads the PoC page...
I tested the code in FF 1.0.7 on fully patched Win2K SP4 UR1. It works.
Yes, your (the above) code works on Firefox 1.0.7 and does not have the "go back" weirdness in either Firefox or IE. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). K-Gen Gen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Mike Camden (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Jerome Athias (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Justin Allen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Mike Camden (Oct 20)