The IE back-button attack
We're not making this up
To illustrate it, Sandblad created a little script which works nicely. Just choose the appropriate link, follow it, and then hit the back button. Big laffs.
The script should work on most IE browsers but has been tested only with IE-6 on Win-2K and XP, according to Sandblad's recent posting to the BugTraq mailing list, where you can get a copy and play with it.
We've confirmed it for IE-6 on Win-XP Pro, and several readers have reported that IE-5 is also affected. We've also heard that McAfee and NAV will block it.
MS was notified on 12 November 2001, and reminded on 25 March 2002, Sandblad says. Apparently they're not as worried as the major anti-virus vendors. ®
Sponsored: RAID: End of an era?