Vulnerability Note VU#652278

Microsoft Internet Explorer does not properly display URLs

Per RFC 2396, the URL scheme for HTTP is represented as

  <userinfo>@<host>:<port>

When IE encounters a NULL or similar non-printable character before the @ sign, the browser displays the <userinfo> data but accesses the correct location specified by the <host>:<port> portion of the URL. Code that displays the contents of the address bar and the status bar does not properly handle NULL and other non-printable characters. Both the address bar and the display bar show the truncated URL.

Even in the absence of this vulnerability, a class of social engineering attacks (also called "phishing") attempts to mislead a user into visiting a web site that appear to be legitimate but is in fact under the control of an attacker. The attacker might disguise the actual location of a URL by populating <userinfo> with credible data and obfuscating <host>:<port> with various URL representations, URL encoding, or other techniques. By making the web site appear to be legitimate, the attacker seeks to convince the user to provide sensitive information such as credit card numbers, account numbers, and passwords.

The vulnerability described in this document significantly adds to the attacker's ability to mislead users, since only <userinfo> is visible, not the actual location of the URL.

Outside the scope of this vulnerability, it is worth noting that RFC 2396 specifically recommends against including passwords in the <userinfo> portion of a URL:

Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used.

Apply the patch (832894) referenced in Microsoft Security Bulletin MS04-004 or a more recent IE cumulative patch.

Note that after applying the patch, the status bar continues to display the truncated URL.

Enter URLs manually

Do not click on URLs from untrusted sources such as unsolicited email or instant messages. Type URLs or use trusted bookmarks for sensitive sites.

For further information about safely determining URLs in IE, please see Microsoft Knowledge Base Article 833786. Also, Microsoft Knowledge Base Article 834489 discusses a change that causes IE to no longer support the "user:password" format for the <userinfo> portion of HTTP and HTTPS URLs.

Systems Affected

http://www.us-cert.gov/cas/techalerts/TA04-033A.html
http://www.us-cert.gov/cas/alerts/SA04-033A.html
http://www.securityfocus.com/archive/1/346948
http://lists.netsys.com/pipermail/full-disclosure/2003-December/014663.html
http://lists.netsys.com/pipermail/full-disclosure/2003-December/014794.html
http://lists.netsys.com/pipermail/full-disclosure/2003-December/014796.html
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0312&L=ntbugtraq&F=P&S=&P=6444
http://www.ietf.org/rfc/rfc1738.txt
http://www.ietf.org/rfc/rfc2396.txt
http://www.webopedia.com/TERM/p/phishing.html
http://www.antiphishing.org/phishing_archive.htm
http://www.secunia.com/advisories/10395/
http://secunia.com/internet_explorer_address_bar_spoofing_test/
http://www.securityfocus.com/bid/9182
http://xforce.iss.net/xforce/xfdb/13935
http://xforce.iss.net/xforce/alerts/id/159
http://www.securiteam.com/windowsntfocus/5UP0P0AAKK.html
http://support.microsoft.com/?id=833786
http://support.microsoft.com/?id=834489
http://support.microsoft.com/?id=200351
http://support.microsoft.com/?id=832414
http://support.microsoft.com/?id=831167
http://www.microsoft.com/security/incident/spoof.asp

Credit

This vulnerability was publicly reported by Zap The Dingbat.

This document was written by Art Manion and Shawn Hernan.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.