httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Evan Platt <e...@espphotography.com>
Subject Re: [users@httpd] Spoofing URLs in the address bar
Date Wed, 15 Nov 2006 19:30:29 GMT
At 11:14 AM 11/15/2006, you wrote:
>Is it possible to display a different URL than the actual site that 
>the browser is contacting in the address portion of a browser?  I 
>had thought the only options for the URL were either the actual 
>site, or the proxy server site in the instance where you are using a proxy.
>
>I'm asking this as a security question.  If a user gets an email and 
>clicks on a link (the HREF can say anything it wants), is it 
>possible to have the browser show 
><http://www.citibank.com>http://www.citibank.com in the address bar 
>when it's really connected to some Chinese malware site?
>
>I know that there are exploits out there for IE, but lets assume 
>I've got fully patched IE or Firefox and that we don't have some 
>bizarre DNS tainting or the like going on.

There's a 'trick' if you will that LOOKS like a address bar.

basically some Java script that makes the browser go to full screen, 
then basically has a JPG / GIF on top of a fake address bar.

Or even java script that 'looks' like the address bar, and is clickable.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message