[32786] in bugtraq
Re: Internet Explorer URL parsing vulnerability
daemon@ATHENA.MIT.EDU (William Stockall)
Wed Dec 10 19:50:32 2003
Message-ID: <3FD7765D.7030605@compusmart.ab.ca>
Date: Wed, 10 Dec 2003 12:39:09 -0700
From: William Stockall <wstockal@compusmart.ab.ca>
MIME-Version: 1.0
To: Pedro Castro <noupy@mail.telepac.pt>
Cc: bugtraq@securityfocus.com
In-Reply-To: <3FD66545.5080005@mail.telepac.pt>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I don't see this problem with Mozilla Firebird 0.7. It displays the
whole URL including the %01 and everything after the @ symbol.
Will.
Pedro Castro wrote:
> It does also apply to Mozilla Firebird 0.7.
>
>
>
> John W. Noerenberg II wrote:
>
>> This exploit also applies to the Macintosh version of Explorer
>> v5.2.3(5815.1)
>>
>>> From: <bugtraq@zapthedingbat.com>
>>> To: bugtraq@securityfocus.com
>>> Subject: Internet Explorer URL parsing vulnerability
>>>
>>>
>>>
>>> Internet Explorer URL parsing vulnerability
>>> Vendor Notified 09 December, 2003
>>>
>>> # Vulnerability ##########
>>> There is a flaw in the way that Internet Explorer displays URLs in
>>> the address bar.
>>>
>>> By opening a specially crafted URL an attacker can open a page that
>>> appears to be from a different domain from the current location.
>>>
>>> # Exploit ##########
>>> By opening a window using the http://user@domain nomenclature an
>>> attacker can hide the real location of the page by including a 0x01
>>> character after the "@" character.
>>> Internet Explorer doesn't display the rest of the URL making the page
>>> appear to be at a different domain.
>>>
>>> # POC ##########
>>> http://www.zapthedingbat.com/security/ex01/vun1.htm
>>>
>>> # Tested ##########
>>> Internet Explorer
>>> Version 6.0.2800.1106C0
>>> Updates: SP1, Q810847, Q810351, Q822925, Q330994, Q828750, Q824145
>>>
>>> # Credit ##########
>>> Zap The Dingbat
>>> http://www.zapthedingbat.com/
>>
>>
>>
>
