|
Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing
|
|
Secunia Advisory:
|
SA25663
|
|
|
Release Date:
|
2007-06-14
|
|
Popularity:
|
12,755 views
|
|
|
Critical:
|
Not critical
|
|
Impact:
|
Spoofing
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Microsoft Internet Explorer 7.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2007-3164
|
|
Description:
A weakness has been discovered in Internet Explorer 7, which can be exploited by malicious people to conduct spoofing attacks.
The problem is caused due to an unintended result of the IDN (International Domain Name) implementation in the HTTP Basic Authentication dialog. This can be exploited to spoof a server in the authentication dialog using international characters in domain names when a user visits a malicious web page.
The weakness is confirmed in Internet Explorer 7 on a fully patched Windows XP. Other versions may also be affected.
Solution:
Do not provide user credential to suspicious authentication dialogs.
Provided and/or discovered by:
Alex
Original Advisory:
http://www.bitsploit.de/archives/428-...main-Basic-Auth-Phishing-Tactics.html
Other References:
http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
