SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Eudora Vendors:   Qualcomm
Eudora Fails to Correctly Display the Status Bar for URLs Containing Many HTML Character Entities
SecurityTracker Alert ID:  1010117
SecurityTracker URL:  http://securitytracker.com/id/1010117
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 11 2004
Impact:   Modification of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Eudora. A remote user can cause the target user's Eudora client to obfuscate portions of URLs in the status bar.

Brett Glass reported that a remote user can send an e-mail that includes a link with a large number of HTML character entities (such as encoded space characters '&#32') in the middle of the URL to cause the Eudora client to fail to display the full URL in the status bar. The portion of the URL that trails the inserted character entities will not be displayed in the status bar, the report said.

A demonstration exploit URL is provided:

<a href="http://www.e-gold.com
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a><br>

According to the report, the target user must view the message source to determine the full URL.

Impact:   A remote user can send HTML-based e-mail with an embedded URL in a manner that the target user's Eudora client will not display the full URL in the status bar.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.eudora.com/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  Status bar exploit hides spoofed URLs Eudora, possibly other


Eudora (as well as, possibly, other e-mail clients) is susceptible to an 
exploit which can be used to conceal a fraudulent URL. In a fraudulent 
("phishing") spam I received this morning, the sender inserted a large 
number of character entities (in this case, spaces, coded as &#32) into 
the middle of a URL to force the remainder off the right side of the 
status bar, hiding the true destination:

<a href="http://www.e-gold.com
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
&#32&#32&#32&#32&#32&#32&#32&#32&#32&#32
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a><br>

When the mouse pointer is passed over the URL, the status bar at the 
bottom of the screen shows

http://www.egold.com

and does not reveal the spoofed URL. One must view the message source to 
see the actual URL.

This technique is known to work on some browsers, but this is the first 
time I've seen it used to spoof e-mail clients.

I am told that if the URL gets much longer, recent versions of Eudora 
will overflow a buffer in a way that is exploitable by malware. This 
particular phishing expedition doesn't seem to take advantage of that 
vulnerability, hoever.

--Brett Glass

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC