mailing list archives
Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 21 Oct 2005 08:07:38 +1300
Mike Camden wrote:
I thought this was by design since you may have a known url to go to but
only after some form of validation has been passed.
IFF that is the case, then it is an extraordinarily brain-dead design,
as it breaks the very critical "rule" that you should NOT surprise the
user. A URL link that is shown in the interface to go one place, but
which goes somewhere else is fundamentally broken under that rule.
If this is by design, then it's another case of a feature that breaks
Billy's admonition that security is to trump features, so should be
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/