Re: New URL spoofing bug in Microsoft Internet Explorer

0-1-2-3@gmx.de wrote Thursday, October 28, 2004 17:38

> The example below will display a faked URL
> ("http://www.microsoft.com/";) in the status bar of the
> window, if you move your mouse over the link. Click on the
> link and IE will go to "http://www.google.com/"; and NOT to
> "http://www.microsoft.com/"; .
>
> <a href="http://www.microsoft.com/";><table><tr><td><a
> href="http://www.google.com/";>Click here</td></tr></table></a>

My results differ. IE6.0 SP2 +patches on XP SP2 +patches

If I hold the cursor just above the "Click here" hyperlinked text, the
status bar does display the microsoft link - but clicking there does not
take me anywhere. But if I move the tip of the cursor down onto the text, it
displays the google link. So for some users who point the cursor high on the
link, it might be of some use. But otherwise it is not too tricky.

This would be consistent with the layout since there is a hyperlinked blank
area of the table pointing at microsoft. The hyperlinked table will not
actually take me anywhere if I click on it though - it just displays the URL
in the status bar.

The effect can be dramatized by adding more table rows:
<a
href="http://www.microsoft.com/";><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/";>Click here</td></tr></table></a>

I can also pad the area below the table.

<a
href="http://www.microsoft.com/";><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/";>Click
here<tr><td><tr><td><tr><td><tr><td></td></tr></table></a>

Interestingly if I add table rows just before the hyperlinked text, the text
loses its hyperlinked status entirely. The blank table rows still trigger
the status bar display change, and IE "protects" me from dragging and
dropping the hyperlink, but no amount of clicking takes my browser anywhere
at all.

<a
href="http://www.microsoft.com/";><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/";><td><tr>Click here</td></tr></table></a>

Add some more tr and td tags after the hyperlinked text, and it gets its
underline back but still does not take me anywhere - and it splits "Click"
and "here" onto separate lines.

<a
href="http://www.microsoft.com/";><table><tr><td><tr><td><tr><td><tr><td><tr>
<td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td><tr><td>
<tr><td><tr><td><tr><td><a
href="http://www.google.com/";><td><tr>Click
here<tr><td><tr><td><tr><td><tr><td></td></tr></table></a>

So there is some odd stuff going on with rendering and parsing, but it looks
like it would take more experimentation to see if there is anything
exploitable here.

It could make for some irritating trouble ticket spoofs - Help! I can't
click this link!

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
--