[Dshield] MSFT Internet Explorer, %01 URL spoofing

Hudak, Tyler Tyler.Hudak at roadway.com
Mon Dec 15 17:54:49 GMT 2003


The two links still showed as https://secure.euclidian.com/fakebank.html in
IE when click on from Outlook.  These were both sent in an HTML email.  

When sent in a text email, the link was hyperlinked, but showed validly.

Tyler


Johannes wrote:

I did manage it in Outlook Express. It did require sending HTML email.
See how this looks in Outlook (I am not able to post html to the list):

http://secure.fakebank.com&001;@secure.euclidian.com/fakebank.html

or with '<a>' tags:

<a
href="http://secure.fakebank.com&001;@secure.euclidian.com/fakebank.html">
http://secure.fakebank.com
</a>

(some e-mail readers will parse '<a>' tags even in text email.)



More information about the list mailing list