Eudora Fails to Correctly Display the Status Bar for URLs Containing Many HTML Character Entities
|
|
SecurityTracker Alert ID: 1010117
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 11 2004
|
Impact: Modification of user information
|
Exploit Included: Yes
|
Description: A vulnerability was reported in Eudora. A remote user can cause the target user's Eudora client to obfuscate portions of URLs in the status bar.
Brett Glass reported that a remote user can send an e-mail that includes a link with a large number of HTML character entities (such
as encoded space characters ' ') in the middle of the URL to cause the Eudora client to fail to display the full URL in the status
bar. The portion of the URL that trails the inserted character entities will not be displayed in the status bar, the report said.
A
demonstration exploit URL is provided:
<a href="http://www.e-gold.com
          
          
  
2       
          
          
          
   &
#32      
          
          
          
   
2      
          
          
          
    &
#32     
          
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a>
<br>
According to the report, the target user must view the message source to determine the full URL.
|
Impact: A remote user can send HTML-based e-mail with an embedded URL in a manner that the target user's Eudora client will not display the full URL in the status bar.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.eudora.com/ (Links to External Site)
|
Cause: State error
|
Reported By: Brett Glass <brett@lariat.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 08 May 2004 11:10:08 -0600
From: Brett Glass <brett@lariat.org>
Subject: Status bar exploit hides spoofed URLs Eudora, possibly other
|
Eudora (as well as, possibly, other e-mail clients) is susceptible to an
exploit which can be used to conceal a fraudulent URL. In a fraudulent
("phishing") spam I received this morning, the sender inserted a large
number of character entities (in this case, spaces, coded as  ) into
the middle of a URL to force the remainder off the right side of the
status bar, hiding the true destination:
<a href="http://www.e-gold.com�
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
@egegold.com/"><span lang=EN-US
style='mso-ansi-language:EN-US'>http://www.e-gold.com/alert</span></a><br>
When the mouse pointer is passed over the URL, the status bar at the
bottom of the screen shows
http://www.egold.com
and does not reveal the spoofed URL. One must view the message source to
see the actual URL.
This technique is known to work on some browsers, but this is the first
time I've seen it used to spoof e-mail clients.
I am told that if the URL gets much longer, recent versions of Eudora
will overflow a buffer in a way that is exploitable by malware. This
particular phishing expedition doesn't seem to take advantage of that
vulnerability, hoever.
--Brett Glass
|
|
