Re: stupid IE7 question

[Schanulleke <schalulleke () gmail com>]

jas1 () hotmail com wrote:
> I am currently testing a proprietary (supposedly) secure web based application. The application was built around 
> users with IE6.0 and above, one of the instances of this is that the URL is hidden from the end user when browsing 
> the application. Of course you can ctrl-N or save the page locally to gain the URL, but most end users would not be 
> looking for the URL. I advised a while back that the application should not be passing sensitive info via the URL in 
> the first place. On a recent test I thought I would use IE7 and found that 'for security' reasons the URL is always 
> displayed, greyed out. The issue here is that some internal/external proprietary applications will now display 
> sensitive info via the URL that could cause 'serious' information disclosure - apart from relaying to the vendor to 
> code their apps more securely, does anyone have any more suggestions please?
>   
First off. However you solve it it is still broken as you are leaking
the info....

To fix it. Create a frameset with a signle frame and load in there.

See: http://nicky.breedijk.net which actually loads a page from
foto.breedijk.net.

Schanulleke

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------