Microsoft IE Non-breaking Spaces Popup Address Bar Spoofing

OSVDB ID: 30022

Disclosure Date: Oct 25, 2006

Description:

Microsoft Internet Explorer contains a flaw related to the way it displays urls in the address bar of pop-up windows that may allow an attacker to spoof the address bar and possibly conduct phishing attacks via a malicious URL containing non-breaking spaces (%A0).

Vulnerability Classification:

• Remote/Network Access Required
• Input Manipulation
• Loss Of Integrity
• Exploit Available
• Verified

Products:

• Microsoft Corporation Internet Explorer 7

Solution:

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Click on the address bar in the pop up window and scroll to the left to see the url of the page.

External References:

• CVE ID: 2006-5544
• National Vulnerability Database: CVE-2006-5544
• Bugtraq ID: 20728
• Generic Exploit URL: http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/
• ISS X-Force ID: 29827
• CERT VU: 347188
• Secunia Advisory ID: 22542
• Other Advisory URL: http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
• Security Tracker: 1017122

Credit:

OSVDB does not have information on who discovered this vulnerability. If you have credit information please send it to

Vulnerability Status:

This entry was last updated on Dec 6, 2006. If you have additional information or corrections for this vulnerability please submit them to .