Full Disclosure: RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).

From: "Scott Melnick" <smelnick () water com>
Date: Thu, 20 Oct 2005 15:30:48 -0400

Nick FitzGerald Wrote:

IFF that is the case, then it is an extraordinarily brain-dead design, 
as it breaks the very critical "rule" that you should NOT surprise the 
user.  A URL link that is shown in the interface to go one place, but 
which goes somewhere else is fundamentally broken under that rule.

If this is by design, then it's another case of a feature that breaks 
Billy's admonition that security is to trump features, so should be 
fixed.

Regards,
Nick FitzGerald



It has been that way for a long time. Sometime the underlined link is in
the form of Click Here to be redirected. Phishing schemes have been
using this in emails for a good long time as well. Especially the ebay
account ones that I'm sure everyone has seen about account information.


Scott Melnick
Security Guy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Scott Melnick (Oct 20)
- RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Nick FitzGerald (Oct 21)