Vulnerability Note VU#925430

Multiple web browsers do not properly interpret TABLE elements when displaying URLs in the status bar

Original Release date: 04 Nov 2004 | Last revised: 05 Nov 2004

Overview

Multiple web browsers do not properly display the location of HTML documents in the status bar. An attacker could exploit this behavior to mislead users into revealing sensitive information.

Description

Web browsers frequently display the Uniform Resource Locator (URL) in the status bar when a user moves the cursor over links contained within the page. A vulnerability exists in the way multiple web browsers interpret HTML to determine the correct URL to display in the browser's status bar.

The Hypertext Markup Language (HTML) supports the use of the TABLE element. The TABLE element is used to organize content into a series of rows and columns of cells within the document. When certain web browsers encounter a specific series of ANCHOR (e.g., <a href="..."></a>) and TABLE elements, they will display a URL in the status bar that is different than the URL that is accessed when the user clicks on the link.

To illustrate this scenario, please see below:

[begin anchor1]
     [begin table]
          [begin anchor2]
          [end anchor2]
     [end table]
[end anchor1]

In the scenario depicted above, anchor1 will be displayed in the browser's status bar and anchor2 will be accessed when the user clicks on the link.

Note: In the case of Internet Explorer, exploitation of this vulnerability does not require Active scripting to be enabled.

Impact

An attacker could mislead a user to into believing that the URL specified in the status bar is the site that will be accessed when the user clicks on the link. However, when the user clicks on the link they will visit a site different than the URL specified in the status bar and potentially controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.

Solution

We are currently unaware of a practical solution to this problem.

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 does not appear to be affected by this vulnerability.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected-04 Nov 2004
Microsoft CorporationAffected-04 Nov 2004
KDE Desktop Environment ProjectUnknown-04 Nov 2004
MozillaUnknown-04 Nov 2004
Opera SoftwareUnknown-04 Nov 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Benjamin Tobias Franz.

This document was written by Will Dormann and Damon Morda.

Other Information

  • CVE IDs: Unknown
  • Date Public: 28 Oct 2004
  • Date First Published: 04 Nov 2004
  • Date Last Updated: 05 Nov 2004
  • Severity Metric: 0.33
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.