[Dshield] MSFT Internet Explorer, %01 URL spoofing
Johannes B. Ullrich
jullrich at sans.org
Wed Dec 17 14:06:20 GMT 2003
> # Exploit ##########
> By opening a window using the http://user@domain nomenclature an
> attacker can hide the real location of the page by including a 0x01
> character after the "@" character.
> The html source of the original POC, and Johannes' web page, all
> correctly have the 0x01 (or whatever..) *before* the ampersand.
Just to illustrate, I included the version with 0x01 *after* the
ampersand. On Mozilla 1.4 under Linux, it attempts to goto
"fakebank.com", which does not exist (so you get a 'page not found')
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031217/49b17052/attachment.bin
More information about the list