Microsoft Internet Explorer Location Object Webpage Spoofing Vulnerability
TITLE: Microsoft Internet Explorer Location Object Webpage Spoofing Vulnerability
CLASS: Design Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 04 2007 12:00AM
UPDATE: Jun 05 2007 04:40PM
CREDIT: Michal Zalewski reported this issue.
VULNERABLE:
Microsoft Internet Explorer 6.0 SP2
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
-Citrix ICA Client for Windows 4.0 SP6a
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 98
-Microsoft Windows 98
-Microsoft Windows 98SE
-Microsoft Windows 98SE
-Microsoft Windows ME
-Microsoft Windows ME
-Microsoft Windows NT 4.0 SP6a
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0 SP6a
-Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
NOT VULNERABLE:
Vai alla pagina originale su Security Focus
Discussion
Microsoft Internet Explorer is prone to a webpage-spoofing vulnerability.
Attackers may exploit this vulnerability via a malicious webpage to spoof the contents and origin of a page that the victim may trust. Attackers may find this issue useful in phishing or other attacks that rely on content spoofing.
Exploit
To exploit this issue, an attacker must entice an unsuspecting user to visit a maliciously crafted webpage.
A proof-of-concept webpage has been created to demonstrate this issue. Please see the references for details.
Solution
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
References
References:
GoogleBot visited this page on: 2009-12-07 09:22:32