发布时间 :2001-06-27 00:00:00
修订时间 :2008-09-05 16:23:52

[原文]Internet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability."

[CNNVD]Microsoft IE SSL哄骗漏洞(CNNVD-200106-144)

        Internet Explorer 5.5及其早期版本存在漏洞。远程攻击者在地址栏显示URL,这与实际上被显示的URL是不同的,该漏洞可能用在网站哄骗攻击,也称为“web也哄骗漏洞”。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1096IE Web Page Spoofing Vulnerability

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  ie-html-url-spoofing(6556)
(UNKNOWN)  BID  2737

- 漏洞信息

Microsoft IE SSL哄骗漏洞
高危 未知
2001-06-27 00:00:00 2005-10-12 00:00:00
        Internet Explorer 5.5及其早期版本存在漏洞。远程攻击者在地址栏显示URL,这与实际上被显示的URL是不同的,该漏洞可能用在网站哄骗攻击,也称为“web也哄骗漏洞”。

- 公告与补丁

        Microsoft has released a patch which rectifies this issue:
        Service Pack 2 for Internet Explorer 5.5 fixes this issue:
        Microsoft Internet Explorer 5.5 SP1
        Microsoft Internet Explorer 5.5

- 漏洞信息

Microsoft IE Address Bar URL Spoofing
Remote / Network Access
Loss of Confidentiality
Exploit Public

- 漏洞描述

Microsoft Internet Explorer has an issue that may allow a web site to display an arbitrary URL in the address bar different to the one actually being visited. This would allow a malicious site to spoof the contents of a legitimate site in an attempt to steal sensitive data from users. This can take place within a SSL session to further add to the legimacy of the spoof.

- 时间线

2001-05-06 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者