Re: [Evolution-hackers] Security Bug in HTML
- From: Rodney Dawes <dobey ximian com>
- To: guenther <guenther rudersport de>
- Cc: Iñigo Serna <inigoserna terra es>, evolution-hackers ximian com
- Subject: Re: [Evolution-hackers] Security Bug in HTML
- Date: Sun, 11 Jan 2004 12:44:02 -0500
On Sun, 2004-01-11 at 12:07, guenther wrote:
> What you just where referring to in your OP, is a widespread method to
> only fool braindead users -- or users who do not see the target URL at
> all (sic, Evolution <= 1.4.x).
>
> This is similar to <a href="http://evil.site.com";>saint</a>, where the
> user only will see the text "saint" *inside* the message. This is just
> plain HTML and *must* be this way. Anything else would be dead wrong.
>
>
> Any sensitive Browser and Mailer will show the target link in the
> statusbar, while the mouse is over the link.
>
> Evolution 1.4.x does not do this. Evolution 1.5.x does it, but I don't
> know if it may fail. IE does show it, but it *decodes* the target URL
> and may display only parts of it when certain strings (like the %01) are
> a part of the target URL (the href value).
>
>
> Hope, this explained the issue. We still do not know how Evolution 1.5.x
> will actually *display* the target URL in the status bar when handling
> your attached message.
It should probably show
"http://www2 bancopopular es www newmonc com:80/gb/servin.php"
as the target url. Or it may just not decode the encoded characters, and
display the ridiculously long string of "%01%01..." Either way, it's not
a security hole. More like another form of indirection, kind of like
when calling tech support for an ISP or such. :)
And even if you *do* click on the link, the browser should either not
work or display the url you will end up at. However, breaking a standard
in order to waste a bunch of space on an HTML page so the full url can
be displayed in the HTML renderer, is silly.
-- dobey
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
