[Dshield] MSFT Internet Explorer, %01 URL spoofing

Johannes B. Ullrich jullrich at sans.org
Mon Dec 15 12:22:53 GMT 2003

> Some Bugtraq members have reported Mozilla / Firebird and Opera as
> vulnerable, others have reported these browsers as not vulnerable.

I just added number labels to each test url at
http://johannes.homepc.org/ievuln.html to make it easier to identify the
tests. Maybe I will add a little feedback form later.

Here are my results from Mozilla and Netscape 7.1 under Linux:
#4 (inserting spaces) has some success if you hover over the link, as it
pushes the real URL off the screen.

#5 (%001) cuts off the URL as I hover.

All links show the full URL in the URL bar after clicking on them. #4
(spaces) has some success in pushing the real URL off the screen, but
there are lots of ugly '%20'. 

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031215/5acc515f/attachment.bin

More information about the list mailing list