>
> You might find it informative to review the section of BSH on URL parsing:
> http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators
Also, a considerable part of Aditya's concern seems to be the disconnect
between what the user sees in the Status Bar and the actual link target.
It's easy to conceal the link's URL on a page in which the attacker can embed
Javascript (e.g., on an attacker's Web site, but not in a well-designed
webmail system) with code like the following:
<a href="http://google.com/"
Vulnerability Table
===================
1. Firefox 2.0.0.6 Encoded URI Statusbar Spooing Vulnerability
We should fill up %20 as many as possible to hide the payloads in
some wider screens.
The JavaScript Test 2 example is great for stealth phishing attacks
while status bar spoofing is great for hiding our attack payload.
I also made a record for hiding XSS payload.
http://yehg.net/lab/pr0js/vulnerables/status_bar_url_spoofing.htm
violating the integrity of the signed ODF document.
The real problem arises from the fact that the replicated,
unprotected data is used to build the first information
dialog that a user gets after a double-clicking on the
icon in the statusbar that indicates a valid signature or
after choosing "File->Digital Signatures" from the menu.
Only when he opens the certificate's details the correct and
protected information is decoded and thus certified
information is shown.
IN "http://hi.baidu.com/xisigr/blog/item/edbcba00011864de267fb55a.html",
127.0.0.1 is just a fictitious example.
See real examples:http://xisigr.googlepages.com/firefoxspoofing,test 1
is my,test 2 is your.some "%20" for display a "white space" in the
Status Bar.
On Mon, Jul 27, 2009 at 5:47 PM, Juan Pablo Lopez
Yacubian<jplopezy@gmail.com> wrote:
> xisigr
Hi
With the new features implemented in IE 8, the status address bar has been
transformed too. The new step taken by Microsoft IE team that is not to
show
the address of selected link in a status bar can have a serious impact.
A user
will not be able to see the active link in the status bar. This looks
like to
be an implementation of security solution with an obscurity. Status bar
is required
Yes, sure, I can imagine - but so is "click this .exe to see a postcard
from your grandma" type spam.
To clarify, I have three issues with your report:
1) Status bar text is inherently untrustworthy, not because of a
particular design or coding flaw in Firefox, but because of the
design of HTML, DOM, ECMAScript, and the like (event handlers,
dynamic update of link properties, etc). Much of the modern
Web relies on this design to deliver interactive UIs for web
applications, and this is a well-known and documented behavior that
your mail looks like this...
http://seclists.org/fulldisclosure/2007/Jul/0288.html
http://seclists.org/fulldisclosure/2007/Jul/0290.html
you only put your ayes on the status bar, but the data URL scheme address bar spoofing on firefox isn't your discovering
Vulnerability:
==============
Firefox browser address bar in dealing with the URL, the URL and the
status bar when the space character, there is no reasonable encoding
of the URL. Blank characters behind the malicious code will be hidden.
An attacker can construct a space with a long URL to the URL to
deceive.
Exploit:
==============
> "[..]javascript: might be somewhat counterintuitive
> and can be used for obfuscation, but are otherwise
> displayed properly in the status bar.[..]"
This is exactly what I meant - I am definetely not
saying that URL is being wrongly displayed. What I
am saying is that it might cause a problem for
normal users (and it will).
