[Dshield] MSFT Internet Explorer, %01 URL spoofing

Eric Tillery k6az at k6az.com
Sat Dec 13 22:11:27 GMT 2003


At 02:42 PM 12/13/2003, Johannes B. Ullrich wrote:
>I was playing earlier with the latest Internet Explorer URL spoofing
>vulnerability. If you havent heard yet: By inserting the ASCII character
>'0x01' into your URL, you can trick Internet Explorer into hiding the
>actual URL you go to.
>
>Of course, https does not protect you in this case, unless you are
>looking at the certificate. If you need to explain to someone how bad
>this can be, take a look at my little demo page:
>
>http://johannes.homepc.org/ievuln.html

One thing that is often overlooked is the ability to right-click on the page
and look at the properties. Doing this, the page is clearly a fake:

http://www.k6az.com/forums/fakebank_iex6.jpg


>I am not exactly sure what to tell people that would like to protect
>themselves. Is 'using a different browser' the only protection? Looking
>at the certificate will of course help. But thats not always so easy for
>a non-technical user.

I saw another person report that Netscape 7.1 is vulnerable. This is 
interesting,
because Mozilla 1.5, based pretty much on Netscape, is not:

http://www.k6az.com/forums/fakebank_mozilla.jpg






More information about the list mailing list