CVE-2007-3164

Microsoft Internet Explorer 7, when prompting for HTTP Basic Authentication for an IDN web site, uses ACE labels for the domain name in the status bar, but uses internationalized labels for this name in the authentication dialog, which might allow remote attackers to perform phishing attacks if the user misinterprets confusable characters in the internationalized labels, as demonstrated by displaying xn--theshmogroup-bgk.com only in the status bar.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/
http://www.bitsploit.de/archives/428-Cross-Domain-Basic-Auth-Phishing-Tactics.html
http://www.securityfocus.com/bid/24483
http://secunia.com/advisories/25663
http://osvdb.org/36142
https://exchange.xforce.ibmcloud.com/vulnerabilities/34867

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*

Information

Published : 2007-06-11 15:30

Updated : 2021-07-23 08:05

NVD link : CVE-2007-3164

Mitre link : CVE-2007-3164

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

microsoft

internet_explorer

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/", "name": "http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/", "tags": [], "refsource": "MISC"}, {"url": "http://www.bitsploit.de/archives/428-Cross-Domain-Basic-Auth-Phishing-Tactics.html", "name": "http://www.bitsploit.de/archives/428-Cross-Domain-Basic-Auth-Phishing-Tactics.html", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/24483", "name": "24483", "tags": [], "refsource": "BID"}, {"url": "http://secunia.com/advisories/25663", "name": "25663", "tags": [], "refsource": "SECUNIA"}, {"url": "http://osvdb.org/36142", "name": "36142", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34867", "name": "ie-idn-authentication-spoofing(34867)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Microsoft Internet Explorer 7, when prompting for HTTP Basic Authentication for an IDN web site, uses ACE labels for the domain name in the status bar, but uses internationalized labels for this name in the authentication dialog, which might allow remote attackers to perform phishing attacks if the user misinterprets confusable characters in the internationalized labels, as demonstrated by displaying xn--theshmogroup-bgk.com only in the status bar."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-3164", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2007-06-11T22:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-07-23T15:05Z"}