[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).
From: "Scott Melnick" <smelnick@xxxxxxxxx>
Date: Thu, 20 Oct 2005 15:30:48 -0400

Nick FitzGerald Wrote:

>IFF that is the case, then it is an extraordinarily brain-dead design, 
>as it breaks the very critical "rule" that you should NOT surprise the 
>user.  A URL link that is shown in the interface to go one place, but 
>which goes somewhere else is fundamentally broken under that rule.

>If this is by design, then it's another case of a feature that breaks 
>Billy's admonition that security is to trump features, so should be 
>fixed.


>Regards,
>Nick FitzGerald


It has been that way for a long time. Sometime the underlined link is in
the form of Click Here to be redirected. Phishing schemes have been
using this in emails for a good long time as well. Especially the ebay
account ones that I'm sure everyone has seen about account information.


Scott Melnick
Security Guy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).
  - From: Nick FitzGerald

Prev by Date: Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
Next by Date: Re: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen)
Previous by thread: [Full-disclosure] SCOSA-2005.42 Xpdf PDF Viewer Multiple Vulnerabilities
Next by thread: RE: [Full-disclosure] New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).
Index(es):
- Date
- Thread