Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 22 Oct 2005 05:39:54 +1300

Raoul Nakhmanson-Kulish to me:

Cross-platform code (remove line breaks to test):
<a href="http://www.microsoft.com"; 
onclick="self.location.href='http://www.google.com/';return 
false;">Microsoft</a>
Works OK in MSIE 6.0/Win2003 SP1 fully patched, Mozilla 1.7.12, Opera 8.50.
In my Win2KSP4+, Mozilla 1.0.7 it doesn't work
Do you mean Mozilla Firefox 1.0.7?

Yes -- fingers don't work as fast as grey matter...

Had you removed line breaks (there must be a space between "return" and
"false")?
Had you allowed JavaScript in your browser?

Yes, and yes, but I missed (in my hurry) that this (your?) "example" 
was not the OP's.  My comments apply to the OP's code -- in Firefox 
1.0.7 on Win2K SP4 UR1+ the spoof does NOT work -- mouse-over the link 
and it is to MS and clicking it takes you to MS.

BUT, as I also said, if you then hit "go back", instead of taking you 
to the original PoC page Firefox takes you "back" to Google (another 
"go back" takes you to the PoC page and now Google and then MS is in 
your forward browser history).

IE 6.0 SP1+ is even weirder with the original PoC, as regards "go back" 
behaviour -- it seems that trying to go back to the PoC page (from 
Google, as the forward spoof works) causes the spoof script to be re-
run, popping you back to Google despite the mouse-over location for the 
"go back" button being the URL to the PoC.  However, selecting the 
first instance of the PoC URL from the drop-down on the "go back" 
button successfully reloads the PoC page...

I tested the code in FF 1.0.7 on fully patched Win2K SP4 UR1. It works.

Yes, your (the above) code works on Firefox 1.0.7 and does not have the 
"go back" weirdness in either Firefox or IE.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]