[Dshield] MSFT Internet Explorer, %01 URL spoofing

John Sage jsage at finchhaven.com
Wed Dec 17 12:51:36 GMT 2003

On Sun, Dec 14, 2003 at 06:06:47PM -0500, James C. Slora Jr. wrote:
> From: "James C. Slora Jr." <Jim.Slora at phra.com>
> To: <list at dshield.org>
> Subject: Re: [Dshield] MSFT Internet Explorer, %01 URL spoofing
> Date: Sun, 14 Dec 2003 18:06:47 -0500
> Old-X-Envelope-To: list at dshield.org

/* snip */

> Some Bugtraq members have reported Mozilla / Firebird and Opera as
> vulnerable, others have reported these browsers as not vulnerable. We have
> one person here saying that Netscape on Windows is vulnerable for them and
> another who says it is not. There are inconsistencies from machine to
> machine, and some people report inconsistencies on a single machine.

/* snip */

One issue that I've pointed out is that the original post, in the body
text, placed the 0x01 *after* the ampersand.

# Exploit ##########
By opening a window using the http://user@domain nomenclature an
attacker can hide the real location of the page by including a 0x01
character after the "@" character.

The html source of the original POC, and Johannes' web page, all
correctly have the 0x01 (or whatever..) *before* the ampersand.

There may be some people out there who are unknowingly trying to
compare apples and oranges...

- John
"Most people don't type their own logfiles;  but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list