Here's both examples on an HTML page. Why you ask?
Many mail programs won't show the actual "exploits" as HTML.
Here you can see both the code and the HTML side-by-side.
First one from Benjamin Tobias Franz
Second one is my inline Javascript
Third one is Table with border
Page originally posted at 6:29pm PST 10-28-04, updated 4:27pm PST 10-29-04
Side note: I tested Benjamin's example on a Windows box with IE finally.
My example still holds true however, as I expected. I wouldn't call it a bug or an exploit really. It's more like an "abused feature" if anything. It's not a glitch or an example of bad coding. It's just yet another deceptive way to fool someone using the resources available.
Comments? Email: exploit@guidoz.com
Changes: Added the table with border example
Using Win XP Pro w/ SP2 (Fully patched according to Windows Update - IE version: 6.0.2900.2180), his example does NOT work. If you hover your mouse just above the link (where the table border would be), it says Microsoft.com, however, going over the actual link inside the table will properly reveal Google.com. (Maybe Microsoft patched this? Not sure what is meant by "fully patched" in Benjamin's text. Patched to what?) I've added a table with a border as well down below to show this point.
---------------------------------------------------
New URL spoofing bug in Microsoft Internet Explorer
There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
which allowes to show any faked target-address in the status bar of the
window.
The example below will display a faked URL ("http://www.microsoft.com/") in
the status bar of the window, if you move your mouse over the link. Click
on the link and IE will go to "http://www.google.com/" and NOT to
"http://www.microsoft.com/" .
Actual Code: <a href="http://www.microsoft.com/"><table><tr><td>
<a href="http://www.google.com/">Click here</td></tr></table></a>
Link: | Click here |
Here is the same table above WITH a border that shows the "hotspot"
Actual Code: <a href="http://www.microsoft.com/"><table border="1"><tr><td>
<a href="http://www.google.com/">Click here</td></tr></table></a>
Link: | Click here |
My reply about using the inline Javascript
I'm not arguing that this isn't a bug mind you - it certainly is something that should be looked at.
However, you can accomplish basically the same thing with a little bit of inline javascript:
Actual Code: <a HREF="http://www.google.com/"
onMouseOver="window.status='http://www.microsoft.com/';return true"
onMouseOut="window.status='Done';return true">Click here</a>
Link: Click here
Hovering over the link will display the "fake" Microsoft.com link in the status bar. Leaving the
link will revert to saying "Done" when leaving the link. (Done is what appears in most browsers
after a page is loaded.) Clicking it will goto Google.com
This trivial, yet effective, method has been used for years on advertising sites that want to hide
the affiliate ID or whatever. Plus, it's easier then making a table around every link, which will
throw off the formatting in some browers. =) On the other hand, if you have javascript disabled (or
not supported), then this wouldn't fool you. 6 of one and half a dozen of the other. (Something else
to note - the inline javascript will work across multiple browsers. Not just IE.) Either way, viewing
the page source will reveal the truth, obviously.
NOTE: Russ from NTBugTraq pointed out the malformed HTML in Benjamin's original example, that is, the
missing </a>. This can cause some browsers to create the Microsoft.com link for the entire width of
the page. To correct this, one should include the closing </a> after "Click here" within the table.
Hopefully this will help express the discussion to those without HTML email readers. =)
Comments? Email: exploit@guidoz.com
--
Peace. ~G