Overview
Multiple web browsers do not properly display the location of HTML documents in the status bar. An attacker could exploit this behavior to mislead users into revealing sensitive information.
Description
Web browsers frequently display the Uniform Resource Locator (URL) in the status bar when a user moves the cursor over links contained within the page. A vulnerability exists in the way multiple web browsers interpret HTML to determine the correct URL to display in the browser's status bar. The Hypertext Markup Language (HTML) supports the use of the BASE and FORM elements. The BASE element is used to define the base href for the document. For instance, assume that a web developer specifies the following tag in an HTML document: |
Impact
An attacker could mislead a user to into believing that the URL specified in the status bar is the site that will be accessed when the user clicks on the link. However, when the user clicks on the link they will visit a site different than the URL specified in the status bar and potentially controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords. |
Solution
We are currently unaware of a practical solution to this problem. |
Read and send email in plain text format |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
This vulnerability was reported by http-equiv.
This document was written by Will Dormann and Damon Morda.
Other Information
CVE IDs: | None |
Severity Metric: | 0.33 |
Date Public: | 2004-11-01 |
Date First Published: | 2004-11-04 |
Date Last Updated: | 2004-11-04 21:53 UTC |
Document Revision: | 27 |