Button link flaw
From Neil's blog, another scary story about link spoofing with IE (and Opera apparently)
Go to this page and click on the link, and then see where you end up. In Firefox, you end up at the page shown in the status bar, as you’d expect, but in IE, you don’t.
The reason is that the link isn’t just a link - it’s a styled button with a link wrapped around it. The link points to a file called ‘success.html’, but the button submits a form to ‘failed.html’. Firefox treats the button as a link but IE treats the button as some kind of link/button hybrid. The status bar shows where the link points to, but when you click the button, which I’ve disguised using CSS to look like a link, it goes to the form output. Therefore, an unsuspecting user could think they’re clicking on a link to one site (say, paypal.com) but actually going to another (dodgysite.com).
The reason why I’m concerned about this is that an example is in the wild. A variant of the Terrakt in Australia trojan-thingy used this to trick me into going to aicworld.info instead of antivirus.com (or rather it would if Thunderbird hadn’t marked the message as spam and had therefore santised the HTML, thus removing all form elements).
I only have IE, Mozilla and Firefox on here so I can’t test other browsers, but I’d be interested to see how other browsers treated this.
Added: I downloaded Opera 7.23, and it failed the test, however the button appeared more like a button than a normal link and didn’t show any URL in the status bar. Lynx would show the button but say that the document had hidden links.