Comment Big deal, you can already spoof any site. (Score 1) 169
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
<?
readfile($_GET['url'])
?>
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:/ /www.google.com', false);
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
<?
readfile($_GET['url'])
?>
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=n
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
