Microsoft Internet Explorer does not properly display URLs

Overview

Microsoft Internet Explorer does not properly display the location of HTML documents. An attacker could exploit this behavior to mislead users into revealing sensitive information.

Description

Web browsers frequently display the Uniform Resource Locator (URL) in the address bar. Users expect this information to indicate the source of the current browser frame. Microsoft Internet Explorer (IE) does not properly display URLs that contain certain non-printable characters. IE may connect to one address but display a different address.

Per RFC 2396, the URL scheme for HTTP is represented as

<userinfo>@<host>:<port>

When IE encounters a NULL or similar non-printable character before the @ sign, the browser displays the <userinfo> data but accesses the correct location specified by the <host>:<port> portion of the URL. Code that displays the contents of the address bar and the status bar does not properly handle NULL and other non-printable characters. Both the address bar and the display bar show the truncated URL.

Even in the absence of this vulnerability, a class of social engineering attacks (also called “phishing”) attempts to mislead a user into visiting a web site that appear to be legitimate but is in fact under the control of an attacker. The attacker might disguise the actual location of a URL by populating <userinfo> with credible data and obfuscating <host>:<port> with various URL representations, URL encoding, or other techniques. By making the web site appear to be legitimate, the attacker seeks to convince the user to provide sensitive information such as credit card numbers, account numbers, and passwords.

The vulnerability described in this document significantly adds to the attacker’s ability to mislead users, since only <userinfo> is visible, not the actual location of the URL.

Outside the scope of this vulnerability, it is worth noting that RFC 2396 specifically recommends against including passwords in the <userinfo> portion of a URL:

Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used.

---

Impact

An attacker could convince a user that they were viewing a legitimate site when in fact they are visiting a site controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.

---

Solution

Apply patch

Apply the patch (832894) referenced in Microsoft Security Bulletin MS04-004 or a more recent IE cumulative patch.

Note that after applying the patch, the status bar continues to display the truncated URL.

---

Enter URLs manually

Do not click on URLs from untrusted sources such as unsolicited email or instant messages. Type URLs or use trusted bookmarks for sensitive sites.

For further information about safely determining URLs in IE, please see Microsoft Knowledge Base Article 833786. Also, Microsoft Knowledge Base Article 834489 discusses a change that causes IE to no longer support the "user:password" format for the <userinfo> portion of HTTP and HTTPS URLs.

---

Vendor Information

652278

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: December 09, 2003 Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS04-004.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23652278 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/archive/1/346948&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-December/014663.html&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-December/014794.html&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-December/014796.html&gt;
• http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0312&L=ntbugtraq&F=P&S=&P=6444
• <http://www.ietf.org/rfc/rfc1738.txt&gt;
• <http://www.ietf.org/rfc/rfc2396.txt&gt;
• <http://www.webopedia.com/TERM/p/phishing.html&gt;
• <http://www.antiphishing.org/phishing_archive.htm&gt;
• <http://www.secunia.com/advisories/10395/&gt;
• <http://secunia.com/internet_explorer_address_bar_spoofing_test/&gt;
• <http://www.securityfocus.com/bid/9182&gt;
• <http://xforce.iss.net/xforce/xfdb/13935&gt;
• <http://xforce.iss.net/xforce/alerts/id/159&gt;
• <http://www.securiteam.com/windowsntfocus/5UP0P0AAKK.html&gt;
• <http://support.microsoft.com/?id=833786&gt;
• <http://support.microsoft.com/?id=834489&gt;
• <http://support.microsoft.com/?id=200351&gt;
• <http://support.microsoft.com/?id=832414&gt;
• <http://support.microsoft.com/?id=831167&gt;
• <http://www.microsoft.com/security/incident/spoof.asp&gt;

Acknowledgements

This vulnerability was publicly reported by Zap The Dingbat.

This document was written by Art Manion and Shawn Hernan.

Other Information

CVE IDs:	CVE-2003-1025
Severity Metric:	14.29 Date Public: