Microsoft Internet Explorer Lets Remote Users Partially Spoof Address Bar URLs
|
|
SecurityTracker Alert ID: 1017122
|
|
SecurityTracker URL: http://securitytracker.com/id?1017122
|
|
CVE Reference: CVE-2006-5544
(Links to External Site)
|
Updated: Jun 3 2008
|
Original Entry Date: Oct 26 2006
|
Impact: Modification of system information
|
Vendor Confirmed: Yes
|
Version(s): 7.0
|
Description: A vulnerability was reported in Microsoft Internet Explorer. A remote user can spoof address bar URLs for popup windows.
A remote user can create specially crafted HTML that, when loaded by the target user, will open a popup window containing content
from an arbitrary site but showing an apparently different address. A portion of the URL is not initially displayed.
A demonstration
exploit is available at:
http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/
[Editor's note: In our testing
of the Secunia demonstration, the actual URL of the window was displayed in the popup window and no address spoofing was observed.]
|
Impact: A remote user can spoof address bar URLs for popup windows.
|
Solution: On October 31, 2006, Microsoft stated that the actual URL of the popup page is displayed and that this is not a vulnerability.
The
Microsoft notices are available at:
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
http://blogs.technet.com/msrc/archive/2006/10/31/info
rmation-on-address-bar-issue.aspx
|
Vendor URL: blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Oct 2006 01:20:07 -0400
Subject: Microsoft Internet Explorer (IE) address bar partial spoofing
|
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
|
|
