[Dshield] MSFT Internet Explorer, %01 URL spoofing

Alan Frayer afrayer at frayernet.com
Wed Dec 17 16:26:29 GMT 2003

On Wed, 2003-12-17 at 09:06, Johannes B. Ullrich wrote:

> > # Exploit ##########
> > By opening a window using the http://user@domain nomenclature an
> > attacker can hide the real location of the page by including a 0x01
> > character after the "@" character.
> >           ^^^^^
> > 
> > The html source of the original POC, and Johannes' web page, all
> > correctly have the 0x01 (or whatever..) *before* the ampersand.
> Just to illustrate, I included the version with 0x01 *after* the
> ampersand. On Mozilla 1.4 under Linux, it attempts to goto 
> "fakebank.com", which does not exist (so you get a 'page not found')

Again, Opera on RH9 Linux exhibits a warning window about a username in
the URL and displays the true destination before allowing you to go
there. The spaced version does hide the destination from initial
display, but is clearly displayed in the warning window.


Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Friends don't let friends use Active Directory
Visit Frayernet - http://www.frayernet.com
Shop at buyneatstuff - http://www.buyneatstuff.net

More information about the list mailing list