[26901] in bugtraq
MSIEv6 % encoding causes a problem again
daemon@ATHENA.MIT.EDU (Liu Die Yu)
Tue Sep 3 13:51:06 2002
Date: 3 Sep 2002 12:49:20 -0000
Message-ID: <20020903124920.32103.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Liu Die Yu <liudieyuinchina@yahoo.com.cn>
To: bugtraq@securityfocus.com
it's about cross-site scripting at MSIEv6 client side using % encoding,
but not the same as the one by PeaceFire.org which doesn't work on my PC.
[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}
[demo]
at
http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
or
clik.to/liudieyu ==> 2FforMSIE-MyPage section.
[exp]
%?? in URL is decoded when IE caculates the domain, but not decoded while
downloading a page.
so
[CODE.URL]http://www.yahoo.com%2F@clik.to/liudieyu
( 2F=hex$(asc('/')) )
leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it
www.yahoo.com for IE
Very simple, that's all.
[contact]
liudieyuinchina@yahoo.com.cn
