Misleading Status Bar in Apple Safari Web Browser

vendor:

Safari Web Browser

by:

Unknown

5.5

CVSS

MEDIUM

Misrepresentation

601

CWE

Product Name: Safari Web Browser

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE:

CPE: a:apple:safari_web_browser

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Misleading Status Bar in Apple Safari Web Browser

The vulnerability allows an attacker to misrepresent the status bar in the Apple Safari Web Browser. By creating an HTML form with a legitimate site as the submit value and an attacker-specified site as the action property, the attacker can mislead users into following a link to a malicious site. The same effect can be achieved by embedding the malicious form in a link using the HTML Anchor tag and specifying the legitimate site as the href property.

Mitigation:

No known mitigation is currently available for this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11949/info

A vulnerability has been identified in Apple Safari Web Browser that allows an attacker to misrepresent the status bar in the browser, allowing vulnerable users to be mislead into following a link to a malicious site.

The issue presents itself when an attacker creates an HTML form with the submit 'value' property set to a legitimate site and the 'action' property set to the attacker-specified site. The malicious form could also be embedded in a link using the HTML Anchor tag and specifying the legitimate site as the 'href' property. As a result, the attacker-supplied link would point to the legitimate site and the status bar would display the address of the legitimate site as well.

<form action="http://www.malicious.com/" method="get">
<a href="http://www.example.com/"><input type="image" src="http://images.example.com/title.gif"></a>
</form>