Signature Detail

HTTP: Page With Malicious URL Hiding Encoding

This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer. Attackers can embed binary control characters in a URL that is included in a Web page; when the URL is viewed, these control characters prevent Internet Explorer from displaying the complete URL, which might have malicious content.

Extended Description

A weakness has been reported in multiple browsers that may allow attackers to obfuscate the URI for a visited page. The problem is said to occur when a URI designed to pass access a specific location with a supplied username, contains a hexadecimal 1 value prior to the @ symbol. An attacker could exploit this issue by supplying a malicious URI pointing to a page designed to mimic that of a trusted site, and tricking a victim who follows a link into believing they are actually at the trusted location.

Affected Products

• Microsoft Internet Explorer 5.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1
• Microsoft Outlook Express 4.0
• Microsoft Outlook Express 4.0.1 SP2
• Microsoft Outlook Express 4.27.3110
• Microsoft Outlook Express 4.72.2106
• Microsoft Outlook Express 4.72.3120
• Microsoft Outlook Express 4.72.3612
• Microsoft Outlook Express 5.0
• Microsoft Outlook Express 5.0.1
• Microsoft Outlook Express 5.5
• Microsoft Outlook Express 6.0
• Microsoft Outlook XP
• Mozilla Browser 1.2.1
• MySoft Studio MyIE2 0.9.10

References

• BugTraq: 9182
• CVE: CVE-2003-1025
• URL: http://www.us-cert.gov/cas/techalerts/TA04-033A.html
• URL: http://www.kb.cert.org/vuls/id/652278