[14878] in bugtraq
IE Domain Confusion Vulnerability
daemon@ATHENA.MIT.EDU (Foo Bar)
Fri May 12 00:14:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000511135609.D7774@securityfocus.com>
Date: Thu, 11 May 2000 13:56:09 -0700
Reply-To: aleph1@SECURITYFOCUS.COM
From: Foo Bar <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
IE can be fooled into thinking a web page is in any domain by encoding
some characters in the URL and placing the domain you want to spoof
at the end of the URL. For example the URL
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
is in the pecefire.org domain but because "/" and "?" are replaced by
"%2f" and "%3f" IE will think the URL is in the amazon.com domain.
You can find more information at http://www.peacefire.org/security/iecookies/
Although the web page only mentions cookies it may be possible to exploit
the problem in other ways as the security setting for domains may be
different. For example the users may allow the execution of unsigned
ActiveX controls from its company domain.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
