Full Disclosure mailing list archives

Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).

From: Mike Camden <mike.camden () gmail com>
Date: Thu, 20 Oct 2005 13:35:03 -0500

I thought this was by design since you may have a known url to go to but
only after some form of validation has been passed.


 On 10/20/05, K-Gen Gen <alphakgen () gmail com> wrote:


New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).

Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE.

Affected : All MS-IE Browsers (Win XP SP2 as well).

This allows a malicious website to host a specially crafted A HREF tag
that shows to the user
as a link to one location, but actually redirects to another. This can
be used in Phishing scams
and other malicious attacks.

The basic idea here is to write a geniune <a href=""> </a>tag but
include an onClick event handeler
that will redirect (window.location="";) to another page. The next
example won't work:

<a href="http://microsoft.com";
onClick="window.location='http://google.com';";>Microsoft</a>

Probably there is some protection in IE .. but not enough :)

If we try the next thing:

<a href="http://microsoft.com"; onClick="alert()">Microsoft</a>

An alert WILL pop-up before redirecting. The same thing will happen to
the document.write("");
method, it will execute before redirection.

Hence, the next Proof of Concept:

<a href="http://microsoft.com";
onClick="document.write
(unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e&apos;))">Microsoft</a>

Put the code into an HTML page and see for yourself. In the status bar
and in the properties the
link appears as http://microsoft.com , but if you click on the link it
will redirect you to
http://google.com .

I used unescape becuse characters like < > and ' cause run-time errors...

This is not extremely critical as the old %01@ bug (That still works
on my IE sp1 :lol:), becuase
It does not obscure the real link in the Address bar, but i bet there
will be a PoC for this one too, sooner or later...

Have a Nice Day.
K-Gen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). K-Gen Gen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Mike Camden (Oct 20)
  - Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Jerome Athias (Oct 20)
  - Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Justin Allen (Oct 20)
- Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 20)
  - Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)
    - Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Raoul Nakhmanson-Kulish (Oct 21)
    - Re: New (19.10.05) MS-IE Url Spoofing bug (by K-Gen). Nick FitzGerald (Oct 21)