On 11/15/06, Joshua Slive <[EMAIL PROTECTED]> wrote:
On 11/15/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Is it possible to display a different URL than the actual site that the
> browser is contacting in the address portion of a browser?  I had thought
> the only options for the URL were either the actual site, or the proxy
> server site in the instance where you are using a proxy.
>
> I'm asking this as a security question.  If a user gets an email and clicks
> on a link (the HREF can say anything it wants), is it possible to have the
> browser show http://www.citibank.com in the address bar when it's really
> connected to some Chinese malware site?
>
> I know that there are exploits out there for IE, but lets assume I've got
> fully patched IE or Firefox and that we don't have some bizarre DNS tainting
> or the like going on.

I'm not sure why this question is here; it has nothing directly to do
with Apache.

The answer is, excluding browser bugs, it is impossible for someone
who does not control a site to make that site appear in the location
bar.

Actually, I guess I should add a couple caveats.  This could also be
accomplished if the "attacker" controls the DNS used by the client or
the network between client and server (assuming a non-SSL connection;
if it's an SSL connection, they'd also need to control the client's
certificate authority).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to