httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Spoofing URLs in the address bar
Date Thu, 16 Nov 2006 00:59:37 GMT
On 11/15/06, Joshua Slive <joshua@slive.ca> wrote:
> On 11/15/06, gdwfkd@gmail.com <gdwfkd@gmail.com> wrote:
> > Is it possible to display a different URL than the actual site that the
> > browser is contacting in the address portion of a browser?  I had thought
> > the only options for the URL were either the actual site, or the proxy
> > server site in the instance where you are using a proxy.
> >
> > I'm asking this as a security question.  If a user gets an email and clicks
> > on a link (the HREF can say anything it wants), is it possible to have the
> > browser show http://www.citibank.com in the address bar when it's really
> > connected to some Chinese malware site?
> >
> > I know that there are exploits out there for IE, but lets assume I've got
> > fully patched IE or Firefox and that we don't have some bizarre DNS tainting
> > or the like going on.
>
> I'm not sure why this question is here; it has nothing directly to do
> with Apache.
>
> The answer is, excluding browser bugs, it is impossible for someone
> who does not control a site to make that site appear in the location
> bar.

Actually, I guess I should add a couple caveats.  This could also be
accomplished if the "attacker" controls the DNS used by the client or
the network between client and server (assuming a non-SSL connection;
if it's an SSL connection, they'd also need to control the client's
certificate authority).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message