Text Box:

SecPod ID: 10177

Microsoft Internet Explorer ' ' Address Bar URI Spoofing Vulnerability

Status: Public Report

Release Date: 11-04-2008

Severity: High

CVSS Base Score: 4.3 (AV:N/AC:M/Au:NR/C:P/I:N/A:N)

CVSS Temporal Score = 3.9

Affected Software/OS/Device:

Microsoft Internet Explorer versions 6.0 SP1 and prior

Impact Level: Application

 

SecPod Nessus Plugin ID: 900170

Snort ID:

Vulnerability Insight:

 

Overview:

Microsoft Internet Explorer is prone to URI spoofing vulnerability.

 

Description:

The flaw is exists due to failure to adequately handle specific combination of the non-breaking space character like ' '.

 

Impact :

Attacker may leverage this issue to spoof the source URI of a site which leads to false sense of trust.

 

CVSS Score Report:    

    ACCESS_VECTOR = NETWORK
    ACCESS_COMPLEXITY = MEDIUM
    AUTHENTICATION = NOT_REQUIRED
    CONFIDENTIALITY_IMPACT = PARTIAL
    INTEGRITY_IMPACT = NONE
    AVAILABILITY_IMPACT = NONE
    EXPLOITABILITY = PROOF_OF_CONCEPT
    REMEDIATION_LEVEL = UNAVAILABLE
    REPORT_CONFIDENCE = CONFIRMED


    CVSS Base Score = 4.3 (AV:N/AC:M/Au:NR/C:P/I:N/A:N)
    CVSS Temporal Score = 3.9

Fix:

No solution/patch is available as on 31st October, 2008.


 

References:

http://www.securityfocus.com/bid/31960

 

 

Home          Corporate          Resources          Report Security Bug          Blog