Microsoft Internet Explorer Lets Remote Users Partially Spoof Address Bar URLs
|
|
SecurityTracker Alert ID: 1017122 |
|
SecurityTracker URL: http://securitytracker.com/id/1017122
|
|
CVE Reference:
CVE-2006-5544
(Links to External Site)
|
Updated: Jun 3 2008
|
Original Entry Date: Oct 26 2006
|
Impact:
Modification of system information
|
Vendor Confirmed: Yes
|
Version(s): 7.0
|
Description:
A vulnerability was reported in Microsoft Internet Explorer. A remote user can spoof address bar URLs for popup windows.
A remote user can create specially crafted HTML that, when loaded by the target user, will open a popup window containing content from an arbitrary site but showing an apparently different address. A portion of the URL is not initially displayed.
A demonstration exploit is available at:
http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/
[Editor's note: In our testing of the Secunia demonstration, the actual URL of the window was displayed in the popup window and no address spoofing was observed.]
|
Impact:
A remote user can spoof address bar URLs for popup windows.
|
Solution:
On October 31, 2006, Microsoft stated that the actual URL of the popup page is displayed and that this is not a vulnerability.
The Microsoft notices are available at:
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx
|
Vendor URL: blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Oct 2006 01:20:07 -0400
Subject: Microsoft Internet Explorer (IE) address bar partial spoofing
|
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
|
|
