[Dshield] MSFT Internet Explorer, %01 URL spoofing

Johannes B. Ullrich jullrich at sans.org
Mon Dec 15 16:31:53 GMT 2003


On Mon, 2003-12-15 at 10:58, Hudak, Tyler wrote:
> Has anyone been able to successfuly exploit this via an email received in
> Outlook? 

I did manage it in Outlook Express. It did require sending HTML email.
See how this looks in Outlook (I am not able to post html to the list):

http://secure.fakebank.com&001;@secure.euclidian.com/fakebank.html

or with '<a>' tags:

<a
href="http://secure.fakebank.com&001;@secure.euclidian.com/fakebank.html">
http://secure.fakebank.com
</a>

(some e-mail readers will parse '<a>' tags even in text email.)



>  I have tried using all of the techniques on Johannes page and each
> result in the page being opened, but the URL looking like it should (no
> spoofing occuring).
> 
> I have Outlook set up in the Restricted security zone, which may be the
> reason why this doesn't work.
> 
> Tyler
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031215/5899cc17/attachment.bin


More information about the list mailing list