[35066] in bugtraq
Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability
daemon@ATHENA.MIT.EDU (Robert J Taylor)
Mon May 31 13:58:57 2004
Message-ID: <40B64909.8050504@rjamestaylor.com>
Date: Thu, 27 May 2004 13:01:13 -0700
From: Robert J Taylor <robert@rjamestaylor.com>
MIME-Version: 1.0
To: sandrijeski@yahoo.com, bugtraq@securityfocus.com
In-Reply-To: <20040527095333.14251.qmail@www.securityfocus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
sandrijeski@yahoo.com wrote:
>In-Reply-To: <40A90108.9000301@kurczaba.com>
>
>I can't see this as vulnerability because its legal code I do something similar without using image map for my site to hide the affiliate tracking code.
>This is the code:
><a onmouseover="window.status='http://www.the-url-you-see.com;return true"
>title="The Link"
>onmouseout="window.status='Whatever-you-like-here';return true"
>href='http://www.some-other-url.com'>The link</a>
>
>
>
Being able to do something intentionally doesn't make it safe or
ethical. You are hiding tracking information from the person using your
site; in effect and in fact you are lying to your visitor. As a visitor
to your site I would not appreciate my browser hiding the real contents
of information used to track me and or hide the real purpose of a
benign-looking link. I would want my browser to be my agent, not yours.
Your anecdote rather establishes the vulnerability and points to its
current use "in the wild."
Regards,
Robert J Taylor
robert-bugtraq@rjamestaylor.com
