[22949] in bugtraq
Re: Javascript in IE may spoof the whole screen
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Mon Oct 22 13:42:38 2001
Message-ID: <12878374.1003693609728.JavaMail.imail@dotty.excite.com>
Date: Sun, 21 Oct 2001 12:46:24 -0700 (PDT)
From: "http-equiv@excite.com" <http-equiv@excite.com>
Reply-To: <http-equiv@excite.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On Sun, 21 Oct 2001 14:14:37 +0300, Georgi Guninski wrote:
>
> Description:
>
> This is *not* security vulnerability by itself but has some
> security implications.
There are a number of additional situations, namely the HOMEPAGE behavior of
the Internet Explorer series 5.5 +. Very trivial scripting, that will
position on any size screen, on a website can cause quite a bit of havoc.
Instead of providing the code how to do it, consider the following screen
shots:
This is a "disguised" prompt. We've reversed the 'yes' 'no' function so that
you've basically "had it":
http://www.malware.com/pooper.jpg [13kb]
the next is the popup off center to illustrate what was done:
http://www.malware.com/poop.jpg [18kb]
From a security POV, there still remains many vulnerable IE5.5 browsers
susceptible to the [your], com.ms.activeX.ActiveXComponent vulnerability
along with a handful of html/web based Trojans and worms out there, that
coupled with an ActiveX prompt, could just as easily be disguised as above.
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
