[Dshield] MSFT Internet Explorer, %01 URL spoofing

Johannes B. Ullrich jullrich at sans.org
Sun Dec 14 03:18:13 GMT 2003

> Has Johannes disclosed another vulnerability?

hm. %001 seems to be special. I didn't intend to disclose anything new
at least. I did try several &#001 and the 'properties' window shows them
as it should.

> Johannes, what I dislike about your demo are the images from Verisign 
> and Comodo (blame on the companies, not you :).

The intend of the demo was mostly to show that SSL does not protect
from this issue. The "site seals" underline the point (e.g. if you
click on them, you get a fake Verisign/Instant SSL site... if you 
can spoof one secure site, you can spoof others).

The real Verisign site seal is actually a much more complex flash
image. However, I believe one could fake that as well. Its just
more work. And as long as people get away with passing one sided
inkjet color copies as real money, people will not pay attention.

> SSL protects connections.

SSL is supposed to do more then encrypt. It should validate the 
servers identity. And as far as this bug is concerned, it does so
perfectly. However, it does validate a different site then the user
believes to visit.

This isn't as much an SSL problem, as a user perception / browser
presentation issue.

> If that is impossible, they can visit the homepage of the particular site by 
> clicking it in their own list of favorites (or by manually entering 
> the URL they are familiar with), and look for clues regarding the 
> request, and follow applicable URL's from there - if any.

Yes. I think that's the best way to deal with it: type the URL, maybe
even the one shown in the e-mail. But best, just go to the homepage
and work your way to the page from their.

> Without any other means of verification, people should NEVER fully 
> trust emails. They're too easy to spoof and are not suitable for the 
> requests mentioned.

I wish people would use signed/encrypted e-mails :-/. While this does
lead to some of the same "trust" issues as SSL, it would be a step into
the right direction.

> People should learn to recognize malicious sites (and avoid them). 
> Usually that's not hard at all

The point of the '%01' issue is, that it makes it so much harder.
BTW: Proxies may be able to filter the '%01' issue. But configuration
may be tricky.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031213/9ec361d7/attachment.bin

More information about the list mailing list