Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability
From: Robert J Taylor <robert () rjamestaylor com>
Date: Thu, 27 May 2004 13:01:13 -0700
sandrijeski () yahoo com wrote:


In-Reply-To: <40A90108.9000301 () kurczaba com>

I can't see this as vulnerability because its legal code I do something similar without using image map for my site to 
hide the affiliate tracking code.
This is the code:
<a onmouseover="window.status='http://www.the-url-you-see.com;return true" title="The Link" 
onmouseout="window.status='Whatever-you-like-here';return true"
href='http://www.some-other-url.com'>The link</a>
Being able to do something intentionally doesn't make it safe or ethical. You are hiding tracking information from the person using your site; in effect and in fact you are lying to your visitor. As a visitor to your site I would not appreciate my browser hiding the real contents of information used to track me and or hide the real purpose of a benign-looking link. I would want my browser to be my agent, not yours.
Your anecdote rather establishes the vulnerability and points to its current use "in the wild." 


Regards,

Robert J Taylor
robert-bugtraq () rjamestaylor com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]