Re: [Evolution-hackers] Security Bug in HTML

From: guenther <guenther rudersport de>
To: Rodney Dawes <dobey ximian com>
Cc: Iñigo Serna <inigoserna terra es>, evolution-hackers ximian com
Subject: Re: [Evolution-hackers] Security Bug in HTML
Date: Sun, 11 Jan 2004 18:56:38 +0100

On Sun, 2004-01-11 at 18:44, Rodney Dawes wrote:
> On Sun, 2004-01-11 at 12:07, guenther wrote:
> > What you just where referring to in your OP, is a widespread method to
> > only fool braindead users -- or users who do not see the target URL at
> > all (sic, Evolution <= 1.4.x).
> > 
> > This is similar to <a href="http://evil.site.com";>saint</a>, where the
> > user only will see the text "saint" *inside* the message. This is just
> > plain HTML and *must* be this way. Anything else would be dead wrong.
> > 
> > 
> > Any sensitive Browser and Mailer will show the target link in the
> > statusbar, while the mouse is over the link.
> > 
> > Evolution 1.4.x does not do this. Evolution 1.5.x does it, but I don't
> > know if it may fail. IE does show it, but it *decodes* the target URL
> > and may display only parts of it when certain strings (like the %01) are
> > a part of the target URL (the href value).
> > 
> > 
> > Hope, this explained the issue. We still do not know how Evolution 1.5.x
> > will actually *display* the target URL in the status bar when handling
> > your attached message.
> 
> It should probably show
> "http://www2 bancopopular es www newmonc com:80/gb/servin.php"
> as the target url. Or it may just not decode the encoded characters, and
> display the ridiculously long string of "%01%01..."

Ack. Although I am in no way sure, what that hell of a string should be
decoded to.


> Either way, it's not
> a security hole. More like another form of indirection, kind of like
> when calling tech support for an ISP or such. :)

It actually is a security hole in IE, as the *location*bar* in IE does
*not* show the URL it is visiting. (If I recall correctly from bugtraq.)


> And even if you *do* click on the link, the browser should either not
> work or display the url you will end up at.

Ack.


> However, breaking a standard
> in order to waste a bunch of space on an HTML page so the full url can
> be displayed in the HTML renderer, is silly.

I really dunno, what standard breaking you are referring to.


Evolution must display the href value in the statusbar while the mouse
is over the link. Evolution either must display this value unaltered
(easy) or decode it correctly to display the real target URL (harder, as
this may depend on some browser logic). Evolution must pass the string
as-is, unaltered in any way to the browser.

(Evolution must *not* change the clear text value between the opening
and closing Anchor tag in any way to display the href value. ;-)

...guenther


-- 
char *t="\10pse\0r\0dtu\0  ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Follow-Ups:
- Re: [Evolution-hackers] Security Bug in HTML
  - From: Rodney Dawes
- Re: [Evolution-hackers] Security Bug in HTML
  - From: Isaac Clerencia
- Re: [Evolution-hackers] Security Bug in HTML
  - From: Lonnie Borntreger

References:
- [Evolution-hackers] Security Bug in HTML
  - From: Iñigo Serna
- Re: [Evolution-hackers] Security Bug in HTML
  - From: guenther
- Re: [Evolution-hackers] Security Bug in HTML
  - From: Rodney Dawes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]