Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Internet Explorer URL hiding vulnerability

Internet Explorer URL hiding vulnerability 12 years 11 months ago #2041

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
I picked this up on the security lists yesterday and played around with it a bit.

There's a vulnerability in IE that allows someone to craft a URL making it appear to be somewhere else.. in other words when you look at the address bar or hover on the link, you'll see the name of the site you think you're at.. but you will be at another page. Obviously this is important because of the number of social engineering scams that can use this (think of people going to pages they think are ebay or paypal)

If you wanna check this out, copy the following code into a text document and save it as .html then open it in IE.. hover on the link and see where it says its taking you.. then click the link.. and notice that you're not actually where you think you are ;)

[code:1]
<html>
<body>
<a href="http://www.google.com%00@tftfotw.blogspot.com">Google</a>
</body>
</html>

[/code:1]

Some people are saying this is a trivial issue.. i disagree, because its very hard to detect unless you look at the source or notice what IP you're connected to... both very unlikely situations.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Internet Explorer URL hiding vulnerability 12 years 11 months ago #2056

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
When was this vulnerability posted in the security lists Sahir ?

I must agree with you that its not a trivial issue!! Has Microsoft come up with any patch for it ?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Internet Explorer URL hiding vulnerability 12 years 11 months ago #2057

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Chris, I caught the vulnerability a day before I posted.. in other words on the 12th.

So far I haven't seen any word of a patch... Microsoft had also said that they wouldn't be releasing any patches in December.. but they've already had to release at least one.

I figure we'll be seeing an IE cumulative patch pretty soon.. if i notice it I'll post a link.

For those of you who didn't try out the vulnerability above, you can check out a working version at my blog. Heres a direct link to the post
tftfotw.blogspot.com/2003_12_01_tftfotw_...l#107126717526620477

It will appear to take you to www.google.com and it actually brings you to firewall.cx :)

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Internet Explorer URL hiding vulnerability 12 years 11 months ago #2058

  • TomaHawK
  • TomaHawK's Avatar
  • Offline
  • New Member
  • Posts: 12
  • Karma: 0
OMG! this is the end of the world as we know it! not really, i read the post and thought..hmm not that bad, and then i tried "googling" firewall.cx... this does not bode well!
all errors are intended, correction will lead to sudden death
The administrator has disabled public write access.

Re: Internet Explorer URL hiding vulnerability 12 years 11 months ago #2073

  • Wild_khan
  • Wild_khan's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
man....i want to know how microsoft defines 'trivial'.....u can send surfers on a roller coaster ride to hell using this one....i remember there wuz this method where u wud make a fake page (yep phishing) imitating the hotmail page...n pray the user enter his password without noticing the url.....now it duznt matter if he notices the url.... :twisted: .....
b4 i sign gimme a pencil...and a sharpner...and a rubber...ohh sorry i dont use a pencil...i use a pen...
The administrator has disabled public write access.
Time to create page: 0.081 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup