URL spoofing bug (with iframes) in Microsoft Internet Explorer (11/02/2004)

From: Benjamin Tobias Franz (0-1-2-3_at_gmx.de)
Date: 11/02/04

  • Next message: Hat-Squad Security Team: "[Hat-Squad] SQL injection and XSS Vulnerabilities in HELM"
    To: <bugtraq@securityfocus.com>
    Date: Tue, 2 Nov 2004 22:45:40 +0100
    
    

    URL spoofing bug (with iframes) in Microsoft Internet Explorer:
    (11/02/2004)

    There is a security bug in Microsoft Internet Explorer, which allows to
    show any faked target-address in the status bar of the window.

    The example below will display a faked URL ("http://www.microsoft.com/") in
    the status bar of the window, if you move your mouse over the link. Click
    on the link and IE will go to "http://www.google.com/" and NOT to
    "http://www.microsoft.com/" .

    HTML code for page #1 called "btf.htm":

    <a href="http://www.microsoft.com/">
    <iframe src="./btf-spoofing.htm" frameborder="0" scrolling="no" width="70"
    height="25" marginheight="0" marginwidth="0"></iframe>
    </a>

    HTML code for page #2 called "btf-spoofing.htm":

    <a href="http://www.google.com/" target="_top">Click here</a>

    Save both codes as HTML files in the same directory and open "btf.htm" with
    Microsoft Internet Explorer.

    Description:
    Microsoft Internet Explorer can not handle embedded frames with links
    surrounded by an other link correct.
    Successful exploitation allows a malicious web site to obfuscate URLs in
    the status bar, even when javascript support has been disabled.

    Affected software:
    Microsoft Internet Explorer

    Workaround:
    Never follow links from untrusted sources. Or right-click on links ans
    select "Properties" to see the real target. Or use Copy-and-Paste.

    Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all
    patches installed on Windows 98. I see "http://www.microsoft.com/" in
    status bar.
    ONLY if I press tabulator-key 3x (to jump to next link) or click on the
    link, then I can see correct info ("http://www.google.com/") in status bar.

    My DLL versions:

    MSHTML.DLL: 6.00.2800.1477
    BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
    SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
    SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)
    URLMON.DLL: 6.00.2800.1475
    WININET.DLL: 6.00.2800.1475

    Regards,
    Benjamin Tobias Franz
    Germany


  • Next message: Hat-Squad Security Team: "[Hat-Squad] SQL injection and XSS Vulnerabilities in HELM"

    Relevant Pages