IE Explorer URL spoofing vulnerability

Discussion in 'privacy general' started by Peaches4U, Dec 11, 2003.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Internet Explorer URL Spoofing Vulnerability

    Secunia Advisory: SA10395
    Release Date: 2003-12-09
    Last Update: 2003-12-11


    Critical: Moderately critical
    Impact: ID Spoofing

    Where: From remote

    Software: Microsoft Internet Explorer 6

    Description:
    A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

    The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.

    Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.

    This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.

    Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
    http://www.trusted_site.com%01%00@malicious_site.com/malicious.html

    A test is available at:
    http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

    The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected.

    Solution:
    Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities.

    Don't follow links from untrusted sources.

    Reported by / credits:
    Originally discovered by:
    Zap The Dingbat

    Status bar variant reported by:
    Chris Hall

    Changelog:
    2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.
     
  2. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Thank you Peaches4U for bringing this information to light for us. :D All the more reason to try another browser. (If only there was a browser as skinnable and customisable as IE!)
     
  3. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
  4. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    The source from which I obtained the IE information at this time cannot find a "Fix" however, I shall do some more searching and see what I can come up with. If there is a Fix, then I will post it here. Cheers.
     
  5. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    MyIE2 fixed it http://www.myie2.com/html_en/home.htm
     

    Attached Files:

  6. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    I posted your URL on another computer discussion forum where a guru checked it out. This is his opinion on Myie2:

    The link provided below will dredge up newsgroup discussions of the browser that include one from the program creator who uses a hotmail handle. There are accusations of spyware, complaints about bugs and nagging messages for donations to use this "free" software.

    I wouldn't touch this program with a ten foot pole.

    http://tinyurl.com/zkyv
     
Loading...
Thread Status:
Not open for further replies.