Cenzic 232 Patent
Paid Advertising
web application security lab

Internet Explorer 7.0 Address Bar Spoofing

Coming quick on the heels of my last post comes an advisory from Secunia around address bar spoofing in Internet Explorer 7.0. This is pretty straight forward, just adding some %0A’s (hex for linebreaks) as padding in the URL in a popup window. It should be pretty trivial to fix, but I can never figure out why browsers allow the URL field to be removed at all. Suppression of URL fields should never be allowed unless the user permits it as a power user function.

That’s a few big holes in just a few days for the newest version of Internet Explorer. The score card isn’t looking so hot at this point. Anyone keeping score?

4 Responses to “Internet Explorer 7.0 Address Bar Spoofing”

  1. Apnovi Says:

    With all the testing Microsoft do wouldent they have seen this one coming…….well mabie not.

    It`s only early days though im sure there`s plenty more IE7 explots to come.

  2. Rich Says:

    Keeping score? I’ve put Secunia’s graphs for lots of popular browsers on a single (rather large) web page so it’s easier to see at a glance who’s “winning”. Nothing for Firefox 2.x …yet.

    http://www.h-spot.net/rlt/browser_comparison.htm

  3. RSnake Says:

    Hah! That’s great! It would be even more interesting if we could see this in aggregate, but even without that, what a cool page!

  4. maluc Says:

    wow, very nice page

    never knew secunia had such graphs ^^

    -maluc