New (19.10.05) MS-IE Url Spoofing bug (by K-Gen).
Gr337s .. I (K-Gen) have found a new (I think..) URL spoofing bug in IE.
Affected : All MS-IE Browsers (Win XP SP2 as well).
This allows a malicious website to host a specially crafted A HREF tag that shows to the user as a link to one location, but actually redirects to another. This can be used in Phishing scams and other malicious attacks.
The basic idea here is to write a geniune <a href=""> </a>tag but include an onClick event handeler that will redirect (window.location="";) to another page. The next example won't work:
<a href="http://microsoft.com" onClick="window.location='http://google.com';">Microsoft</a>
Probably there is some protection in IE .. but not enough :)
If we try the next thing:
<a href="http://microsoft.com" onClick="alert()">Microsoft</a>
An alert WILL pop-up before redirecting. The same thing will happen to the document.write(""); method, it will execute before redirection.
Hence, the next Proof of Concept:
<a href="http://microsoft.com" onClick="document.write(unescape('%3cscript%3ewindow.location=%27http://google.com%27%3c/script%3e'))">Microsoft</a>
Put the code into an HTML page and see for yourself. In the status bar and in the properties the link appears as http://microsoft.com , but if you click on the link it will redirect you to http://google.com .
I used unescape becuse characters like < > and ' cause run-time errors...
This is not extremely critical as the old %01@ bug (That still works on my IE sp1 :lol:), becuase It does not obscure the real link in the Address bar, but i bet there will be a PoC for this one too, sooner or later...
Have a Nice Day. K-Gen
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/