On 11/15/06, Joshua Slive <joshua@xxxxxxxx> wrote:
On 11/15/06, gdwfkd@xxxxxxxxx <gdwfkd@xxxxxxxxx> wrote: > Is it possible to display a different URL than the actual site that the > browser is contacting in the address portion of a browser? I had thought > the only options for the URL were either the actual site, or the proxy > server site in the instance where you are using a proxy. > > I'm asking this as a security question. If a user gets an email and clicks > on a link (the HREF can say anything it wants), is it possible to have the > browser show http://www.citibank.com in the address bar when it's really > connected to some Chinese malware site? > > I know that there are exploits out there for IE, but lets assume I've got > fully patched IE or Firefox and that we don't have some bizarre DNS tainting > or the like going on. I'm not sure why this question is here; it has nothing directly to do with Apache. The answer is, excluding browser bugs, it is impossible for someone who does not control a site to make that site appear in the location bar.
Actually, I guess I should add a couple caveats. This could also be accomplished if the "attacker" controls the DNS used by the client or the network between client and server (assuming a non-SSL connection; if it's an SSL connection, they'd also need to control the client's certificate authority). Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|