[Dshield] MSFT Internet Explorer, %01 URL spoofing
k6az at k6az.com
Sun Dec 14 03:11:23 GMT 2003
At 09:40 PM 12/13/2003, you wrote:
>On Sat, 13 Dec 2003 17:11:27 -0500 Eric Tillery wrote:
> > One thing that is often overlooked is the ability to right-click
> > on the page and look at the properties. Doing this, the page is
> > clearly a fake:
> > http://www.k6az.com/forums/fakebank_iex6.jpg
>Eric, I found a couple of other tricks, then saw your post and was
>excited. However, your tip (and some of mine, below) do **NOT** work
>with the "%001" URL in http://johannes.homepc.org/ievuln.html (tested
>with latest IE6SP1 on XP and NT4) so it should not be recommended.
>Boy, this is tricky...
>Has Johannes disclosed another vulnerability?
I realized this after posting that message. The only way I have found to find
the true URL in the last site is by looking at the source code of the page.
Once again, Mozilla has given IEX a black eye when it comes to security.
Even the last site shows the full address in the URL bar:
More information about the list