It’s just data

Security Flaw

While a security hole in IE gets Slashdot coverage, its seems that this particular security hole can affect not only IE, but also Mozilla 1.5.

Demonstration: not yahoo


Interestingly, in my aggregator (NewsGator), it showed the bogus link for what it was when I hovered over it.

In fairness to this bug, it's easy to override the status bar when hovering over a link. Since IE cannot turn off this behavior without completely turning off JavaScript, I'm not sure how this can be considered some kind of major security hole.

Posted by Brad Wilson, The .NET Guy at

I suggest that this is well beyond IE and Mozilla. Any code that attempts to detect and render URLs might be subject to this (i.e. mail readers, rich text input boxes, document editors, etc)

This is a spam hack as well ... I've seen use of funky encoding in attempts to obfucsate.

This is tangentially related to the REST debate ... what are the security implications of using valid URL encoded characters that turn into whitespace? Should any proposed standard declare that it will simply not accept such encodings? Or does it fall to the implementor to detect these attempts to hack the RPC call?

I ask the latter because it's a relatively unknown "feature" of the latest release of Microsoft's SharePoint Services that it will simply not allow you to upload files that have valid characters in the name(from an OS perspective) that are subject to encode/decode roundtrip madness. Example of "invalid chars" include the "{" and "&". Allowing these filenames (which earlier releases of STS and SPS did) resulted in "madness" as the names could get munched on the roundtrip -- particularly if the name was in turn embedded in HTML and was subject to not only URL encoding but also HTML encoding.

Posted by phil at

IE6 has a worse bug than Mozilla, though.  If you replace the %00 with a %01, then IE6 will take you to slashdot.org while displaying yahoo.com not only in the status bar but also in the address bar.

With 00, IE6 and Mozilla both link to slashdot.org and display slashdot.org in the location bar.

With 01, Mozilla goes to slashdot.org and displays "http://yahoo.com%01@slashdot.org/" in the address bar.  IE6 goes to slashdot.org but displays only yahoo.com in the address bar.

Posted by Matt Brubeck at

The flaw affects older versions of Mozilla as well.

Interesting question about URL security issues and REST. It seems like any data representing a remote address could be potentially invalid, whether that data is acquired via REST or not.

Similarly, it seems like remote data, via REST or otherwise, could take advantage of an unvalidated parameter flaw.

(see also: OWASP Top Ten is useful reference on web application security flaws)

Posted by Jay Fienberg at

Latest IE Security Flaw Also Affects Mozilla

Reported by Sam Ruby, the Internet Explorer URL spoofing bug also appears to affect Mozilla and Firebird....... [more]

Trackback from Branchleft

at

On Firebird 0.7, it goes to Slashdot and displays "http://slashdot.org/" in the address bar, so no trace of the spoofed URL.

Posted by Dave Seidel at

Dave: hover over the not yahoo link above.  What does it say is the target URL?

Trust me, with a little decoration one could add some text followed by an @ sign followed by the real address (as a single decimal, not the normal dotted decimal that people are used to) to make it appear to the casual observer (I mean, really, who would double check this?) that they had landed at the site that they thought they were going to...

Posted by Sam Ruby at

Sam, the status area hasn't been trustworthy for anybody with Javascript turned on for a long time.

<a href="http://slashdot.org" onMouseOver="window.status='http://yahoo.com';return true;" onMouseOut="window.status='';">not yahoo</a>

No obscure ASCII characters required.

Posted by steve minutillo at

Doesn't affect Opera (of course).

Posted by kami at

Evil plans.

The best part of the latest IE security problem (which coincidentally also partially affects Mozilla) is all the cloaked links to Goatsex and Tubgirl soon to appear in the comments on Slashdot....... [more]

Trackback from Neurotech

at

Internet Explorer URL Spoofing Vulnerability

Quote: Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":[link] A test is available at:...

Excerpt from iBLOGthere4iM at

Maybe this is too obvious but right clicking links and viewing their properties reveals the scam... not that anyone would actually take the time to do this.

Posted by Ron at

The fact that you can do the same thing with javascript (actually, Mozilla has a javascript pref specifically to turn off this ability, but assuming that no one sets that) isn't actually as mitigating as you might think. By default, javascript does not run in Mail/News, so one expects to be able to trust the status bar in this case. Needless to say, spammers would be obvious people to exploit this bug. There are also cases where you have a reasonable expectaion that authors do not have access to javascript - for example weblog comments. So sure, the javascript thing is important if you're already on a site controlled by the malicious author. This bug removes that requirement.

FWIW, there is a bugzilla bug on the issue and a preliminary patch.

Posted by jgraham at

Amaya is immune.

Posted by ajgB at

The real security problem is not the status bar - it's been known for a long time that can be easily spoofed using javascript. The problem is that using IE, you can create a link that will take you to a page with a different URL in the address-bar than the real URL of the site.

Consider a weblog with an entry like "great new features at paypal.com", with a link on "paypal.com". This link will look just like the real thing - it will show paypal.com in the status-bar and when you click it, it will take you to a page that looks just like paypal and that will show www.paypal.com in the address bar.

The only difference is that this will actually be a spoofed page hosted elsewhere, and when you enter your paypal password it will go to the hacker's website. Not even the most computer literate would be able to tell the difference though... (unless you do a "view source" prior to clicking the link, but who does that?)

See [link] for a demonstration of this flaw.

Posted by Luke Hutteman at

Mais um problema sério no IE

Mais um problema sério descoberto no IE prontinho para ser usado contra usuário inocentes. (117 palavras)...

Excerpt from Superfície Reflexiva at

Hallo.
Ich wünsche euch einfach weiterhin viel Erfolg für euer Unternehmen. Wenn ihr mal Hilfe mit eurem Marketing braucht, besucht mich einfach mal auf meiner Webseite. Alles weitere können wir dann ja klären

Viele Grüße
Tim Allerkun von marketingplaene.de

Posted by Tim Allerkun at

Hallo.
Ich wünsche euch einfach weiterhin viel Erfolg für euer Unternehmen. Wenn ihr mal Hilfe mit eurem Marketing braucht, besucht mich einfach mal auf meiner Webseite. Alles weitere können wir dann ja klären

Viele Grüße
Tim Allerkun von marketingplaene.de

Posted by Tim Allerkun at

Tentaram, mas não funcionou.

Segundo Sam Ruby, a falha reportada no post anterior também afetaria o Mozilla. Depois de alguns - novos - testes, confirmei que isso continua sendo lorota da oposição: O bug reportado é uma gambiarra feita para enganar a mensagem da... [more]

Trackback from Pattern Recognition

at

RE: Security Flaw

It does not affect RSS Bandit. See [link]
BTW: I didn't like to see Comment Spam is also initiated by german's ...

Message from TorstenR

at

To kami:

You actually can spoof Opera, you just don't use the ASCII characters.  Example:  This appears to link to Microsoft.com, with some session variables, but actually links to my site.  The casual observer would never know the difference, if I made the page it goes to appear the same as the page they were expecting.

Also, I agree with phil.  This is beyond just browsers, but includes other programs as well.  For example, when I put the "not yahoo" actual link as the link for some text in Macromedia Studio MX 2004, it only shows http : //yahoo.com/%01 in the link bar (of course, the real link shows in the source).

Posted by Sean Valencourt at

IE security flaw also affects Mozilla 1.5

Just because a software package you dislike has a security flaw, doesn't mean the software package you do like doesn't....

Excerpt from MovableBLOG: Asides at

IE Security Vulnerability Exploited

The security vulnerability in Internet Explorer that was published a few weeks ago has been exploited. Not only that, it's been done almost exactly as I commented (envisioned?) here on Sam Ruby's blog, only using spam instead of a weblog entry. This...

Excerpt from Luke Hutteman's public virtual MemoryStream at

IE Security Vulnerability Exploited

The security vulnerability in Internet Explorer that was published a few weeks ago has been exploited. Not only that, it's been done almost exactly as I commented (envisioned?) here on Sam Ruby's blog, only using spam instead of a weblog entry. This is the spam email I received: Viewing the html-source revealed that the "click here" link does not actually...... [more]

Trackback from public virtual MemoryStream

at

Add your comment