mIRC 6.03 and below allows an attacker to misleading supply a URL that poses as one URL but leads to another by setting the color of the secondary URL to the default background color.
6b69a01535a0c67322cb56b25faa8fc7dba090f0825a3a04ed026b05cdd0462d
I. BACKGROUND
mIRC is "a friendly IRC client that is well equipped with options and
tools"
More information about the application is available at
http://www.mirc.com
II. DESCRIPTION
The 'URL handler' allows a user to double-click an url posted in a channel
or in a query. This will afterwards be opened in the default browser.
The 'URL handler' fails to filter/ignore colour codes in links, making
'url spoofing' possible.
III. ANALYSIS
Messaging users stuff like "Oh my god Saddam just blew up Israel look
for yourself on www.cnn.com0@www.paysite.com/ref.php?refid=spam-user"
will lead the target to beleive he's entering cnn.com, while he is in
fact accessing www.paysite.com and giving clicks/cash/whatever to the
'attacker'. Note that the 0 is the colour white, which is the default
background colour in mIRC.
IV. DETECTION
mIRC 6.03 and below (those versions who incorporate colour codes/url
handling) are found to be vulnerable.
V. WORKAROUND
unknown
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
unknown
IX. CREDIT
Knud Erik Højgaard/kokaninATdtors.net