Internet Explorer URL Spoofing Vulnerability Secunia Advisory: SA10395 Release Date: 2003-12-09 Last Update: 2003-12-11 Critical: Moderately critical Impact: ID Spoofing Where: From remote Software: Microsoft Internet Explorer 6 Description: A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars. The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL. Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page. This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars. Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com": http://www.trusted_site.com%01%00@malicious_site.com/malicious.html A test is available at: http://www.secunia.com/internet_explorer_address_bar_spoofing_test/ The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected. Solution: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. Don't follow links from untrusted sources. Reported by / credits: Originally discovered by: Zap The Dingbat Status bar variant reported by: Chris Hall Changelog: 2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.