Software Engineering Institute

Web browsers frequently display the Uniform Resource Locator (URL) in the status bar when a user moves the cursor over links contained within the page. A vulnerability exists in the way multiple web browsers interpret HTML to determine the correct URL to display in the browser's status bar.

The Hypertext Markup Language (HTML) supports the use of the BASE and FORM elements. The BASE element is used to define the base href for the document. For instance, assume that a web developer specifies the following tag in an HTML document:

<base href="http://www.example.com">

If the web developer specifies a link to a document (e.g., index.html) without using a fully qualified URL (e.g., http://www.example.com/index.html), the URL will rely on the base href to complete the URL. The FORM element is used to define a section of the document that can have buttons, textboxes, and labels. When a user completes the form, it can then be submitted. The form's action property specifies where the data in the form is sent for processing.

When certain web browsers encounter a BASE element prior to a FORM element, they will use the BASE element's URL to display in the status bar, but access the URL specified in the FORM element when the user clicks on the link.

Note: In the case of Internet Explorer, exploitation of this vulnerability does not require Active scripting to be enabled.

An attacker could mislead a user to into believing that the URL specified in the status bar is the site that will be accessed when the user clicks on the link. However, when the user clicks on the link they will visit a site different than the URL specified in the status bar and potentially controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.

We are currently unaware of a practical solution to this problem.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.