Thread-topic: [NT] Phishing Using IE7 Local Resource Vulnerability
> - - - - - - - - -
> Phishing Using IE7 Local Resource Vulnerability
> Internet Explorer 7.0 is vulnerable to cross-site scripting
> in one of its local resources. In combination with a design
> flaw in this specific local resource it is possible for an
> attacker to easily conduct phishing attacks against IE7 users.
> Vulnerable Systems:
> * Windows Vista - Internet Explorer 7.0
> * Windows XP - Internet Explorer 7.0
> The navcancl.htm local resource is used by the browser when
> for some reason a navigation to a specific page is canceled.
> When a navigation is canceled the URL of the specific page is
> provided to the navcancl.htm local resource after the # sign.
> For example:
> res://ieframe.dll/navcancl.htm#http://www.site.com. The
> navcancl.htm page then generates a script in the Refresh the
> page. link in order to reload the provided site again when
> the user clicks on this link. It is possible to inject a
> script in the provided link which will be executed when the
> user clicks on the Refresh the page. link. Luckily, Internet
> Explorer now runs most of its local resources (including
> navcancl.htm) in Internet Zone , so this vulnerability cannot
> be exploited to conduct a remote code execution.
> Unfortunately, there is also a design flaw in IE7. The
> browser automatically removes the URL path of the local
> resource and leaves only the provided URL. For example: when
> the user visits
> res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will
> show http://www.site.com in the address bar.
> To perform a phishing attack, an attacker can create a
> specially crafted navcancl.htm local resource link with a
> script that will display a fake content of a trusted site
> (e.g. bank, paypal, MySpace). When the victim will open the
> link that was sent by the attacker, a Navigation Canceled
> page will be displayed. The victim will think that there was
> an error in the site or some kind of a network error and will
> try to refresh the page. Once he will click on the Refresh
> the page. link, The attacker s provided content (e.g. fake
> login page) will be displayed and the victim will think that
> he s within the trusted site, because the address bar shows
> the trusted site s URL.
> A CNN.com article spoofing proof-of-concept can be found here
> %2fnavcancl%2fcnn.html> .
> Additional Information:
> The information has been provided by Aviv Raff
> <mailto:avivra@xxxxxxxxx> .
> The original article can be found at: