[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] more on Over and out
Delivered-To: dfarber+@ux13.sp.cs.cmu.edu Date: Fri, 30 Jan 2004 14:46:43 -0600 From: Mike Skallas <user245@hotmail.com> Subject: Re: [IP] more on (seems it is not just IE -- ) MSFT: don't click on links, type them in by hand To: dave@farber.net>this vulnerability is also present in Mozilla, so Mr. Link's solution >fails on its merits.
This is simply untrue. You can test the vulnerability here: http://www.secunia.com/internet_explorer_address_bar_spoofing_test On firebird .7 the URL box reads: http://www.microsoft.com%01%00@secunia.com/internet_explorer_address_bar_spoofing_test/ On Mozilla 1.5 it reads: http://www.microsoft.com%01%00@secunia.com/internet_explorer_address_bar_spoofing_test/ On IE 6 it reads: http://www.microsoft.com Mike http://everythingisnt.com and From: Steven Champeon <schampeo@hesketh.com> Subject: Re: [IP] more on (seems it is not just IE -- ) MSFT: don't click on links, type them in by hand X-Originating-IP: [127.0.0.1] To: Dave Farber <dave@farber.net> Cc: bc@clicknation.com on Fri, Jan 30, 2004 at 03:36:08PM -0500, Dave Farber wrote: > Delivered-To: dfarber+@ux13.sp.cs.cmu.edu > Date: Fri, 30 Jan 2004 14:13:34 -0500 (EST) > From: Bruce Campbell <bc@clicknation.com> > Subject: Re: [IP] [Boing Boing Blog] MSFT: don't click on links, > type them in by hand > To: dave@farber.net <snip> > I'd be interested in knowing what browsers/mail readers fail the test. Safari 1.1.1 (Panther) passes with flying colors, FWIW - the entire URL, %00 and all, is displayed in the status bar (if shown). But the link still takes you to clicknation.com. If the status bar is hidden, which is possible by way of a window.open() Javascript call with the right parameters - which can be launched by an unwitting user clicking on a link with an onclick event handler defined - then all bets are off. Steve -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier ------------------------------------- To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC