Full Disclosure mailing list archives
Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 22 Oct 2005 07:47:04 +1300
Jake Cole to me:
You've turned a technical discussion into a nitpick over poorly chosen words. I fail to see what that accomplishes. The original author posted an example which was not cross-browser for reasons not related to the "exploit". IE uses document.write on the _current_ document yet Mozilla uses it in its original called context. I simply added a SetTimeout to force Mozilla to delay the call by a few milliseconds (FYI, the "Firefox Version" works in IE also). But this little browser inconsistency is meaningless because there are dozens of other cross-browser methods to accomplish the redirection without using document.write or SetTimeout, as shown in the previous poster's example using 'self.location.href'.
...and probably even without using scripting at all.
It is "expected" that when the user clicks on an anchor tag, any action specified in the onClick event will be executed. This is defined by the W3C spec and consistent across all browsers. If one of several scripting languages is enabled, the onClick event can perform any of an endless number of actions. It can create a mouseover, open a new window, call another script, load an external object, close the browser, and, yeah, it can even tell your browser to go to google.com. All of these actions are potentially malicious and may not be what the end-user expects. Your argument that this is not sane behavior may be valid but this behavior is as old as the web as we know it. The time to speak up was almost a decade ago because, without massive ramifications to the functionality of millions of websites, not much is going to completely "fix" it now.
Some informed, security aware folk have been saying such (and many other) things are insane, and for that long. Just because the lunatics running the asylum at the time ignored us does not mean we were wrong or that (some of us) will now simply accept that because it is that way it should stay thus. For all its "good", the whole WWW thing is a classic example of why geeks should not be allowed to develop end-user facing technology without massive assistance from folk who have some idea of how the non-geek folk in the world actually work.
This has gone way off track.
Only if you don't actually care about security, which has to make me wonder why you bother reading, and posting to, this list... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Jake Cole (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Thierry Zoller (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Paul Schmehl (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Nick FitzGerald (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Thierry Zoller (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Valdis . Kletnieks (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Jake Cole (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Nick FitzGerald (Oct 21)
- Re: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen) Mike Camden (Oct 21)